Context Navigation

Changes between Initial Version and Version 1 of Ticket #36000

Timestamp:: Dec 11, 2024, 10:54:03 AM (7 days ago)
Author:: Sarah Boyce
Comment:: Thank you! Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.

Ticket #36000
- Property Has patch unset
- Property Triage Stage Unreviewed → Accepted
- Property Summary Insecure URL Handling (HTTP Protocol Default) in urlize → Update default from http to https in urlize when protocol not provided

-              initial
+              v1
+Hi Team,
+In django/utils/html.py  ,Line no 347 ,Due to following code,
+In `django/utils/html.py`, `urlize` there is:
+{{{
 url = smart_urlquote("http://%s" % html.unescape(middle))
+}}}
+When user input does not include protocol it defaultly prefers http (Insecure Protocol).
+When user input does not include a protocol it defaults to http (Insecure Protocol).
 Example :
+Considered a web app using urlize() for password reset email template
+input = Password reset link myapp.com/password/reset/{token}
+output,
+Password reset link <a href="http://myapp.com/password/reset/{token}"/>
+Considered a web app using `urlize()` for password reset email template
+{{{
+input = "Password reset link myapp.com/password/reset/{token}"
+}}}
+output:
+{{{
+"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"
+}}}
 so when end user of myapp clicks it the url with token sent in http insecure protocol.
 This behavior could potentially lead to man-in-the-middle attacks