id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36000	Update default from http to https in urlize when protocol not provided	Saravana	Ahmed Nassar	"In `django/utils/html.py`, `urlize` there is:
{{{
url = smart_urlquote(""http://%s"" % html.unescape(middle))
}}}

When user input does not include a protocol it defaults to http (Insecure Protocol).

Example :
Considered a web app using `urlize()` for password reset email template
{{{
input = ""Password reset link myapp.com/password/reset/{token}""
}}}
output:
{{{
""Password reset link <a href=""http://myapp.com/password/reset/{token}""/>""
}}}

so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://"	Cleanup/optimization	closed	Template system	5.1	Normal	fixed		Saravana	Ready for checkin	1	0	0	0	1	0