Update default from http to https in urlize when protocol not provided

[Saravana]

In django/utils/html.py, urlize there is:

url = smart_urlquote("http://%s" % html.unescape(middle))

When user input does not include a protocol it defaults to http (Insecure Protocol).

Example :
Considered a web app using urlize() for password reset email template

input = "Password reset link myapp.com/password/reset/{token}"

output:

"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"

so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to ​https://

[Sarah Boyce]

Thank you!
Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.

[Adam Johnson]

I think we can use a plan similar to how #34380 shook out, with a plan like:

1. Introduce a transitional setting (URLIZE_ASSUME_HTTPS) that defaults to False. This goes on the deprecation plan for removal in N+2 versions.
2. When the ​responsible code path is hit (which should be fairly rare as it only applies to ​limited domains), check the setting. If it’s False, warn and use 'http', otherwise use 'https'.

[Saravana]

Yeah sure,
i will work on that

[IronJam]

I will be happy to work on this one if its available

[Ahmed Nassar]

I’d love to contribute to this issue.

[Saravana]

Replying to Ahmed Nassar:

I’d love to contribute to this issue.

Yeah you can work on it

[Ahmed Nassar]

The issue regarding defaulting to HTTP instead of HTTPS in urlize has been addressed. A fix has been implemented to ensure that URLs without a specified protocol now default to HTTPS, improving security and preventing potential MITM attacks.

🔗 Pull Request: ​https://github.com/django/django/pull/19240

Summary of Fix:
✅ Updated urlize to default to HTTPS when no protocol is provided.
✅ Ensured backward compatibility with a transitional URLIZE_ASSUME_HTTPS setting.
✅ Followed Django's deprecation plan for smooth transition in future versions.
✅ Added relevant tests to confirm correct behavior.

The changes have been tested, and everything appears to be working as expected. Please review when possible and let me know if any adjustments are needed.

Looking forward to your feedback!

[Ahmed Nassar]

I have completed all requested changes in the PR ​https://github.com/django/django/pull/19240, including:

Addressing all review comments.
Pushing a commit with the latest updates.
Ensuring all tests pass successfully.
Updating the documentation to reflect the introduced URLIZE_ASSUME_HTTPS setting.

Additionally, I have added and updated some tests and documentation to ensure proper coverage and clarity. Given that the Trac ticket currently has "Needs tests: No" and "Needs documentation: No", should these be updated to "Needs tests: Yes" and "Needs documentation: Yes" to reflect these additions?

[Sarah Boyce]

Additionally, I have added and updated some tests and documentation to ensure proper coverage and clarity. Given that the Trac ticket currently has "Needs tests: No" and "Needs documentation: No", should these be updated to "Needs tests: Yes" and "Needs documentation: Yes" to reflect these additions?

Yes when you want another review, you should do this as it will put the ticket in the review queue. I have given a review, so once you've resolved those comments you can update this ticket

[Ahmed Nassar]

Thank you for the review and clarification.

• Addressed and resolved all comments in the PR ​https://github.com/django/django/pull/19240
• Ensured passing all tests and documentation checks correctly.

Looking forward to your review and feedback!

[Sarah Boyce <42296566+sarahboyce@…>]

In ec7044c7:

Fixed #36000 -- Deprecated HTTP as the default protocol in urlize and urlizetrunc.