id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36000	Insecure URL Handling (HTTP Protocol Default) in urlize	Saravana		"Hi Team,
In django/utils/html.py  ,Line no 347 ,Due to following code,
url = smart_urlquote(""http://%s"" % html.unescape(middle))

When user input does not include protocol it defaultly prefers http (Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href=""http://myapp.com/password/reset/{token}""/>
so when end user of myapp clicks it the url with token sent in http insecure protocol.

This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://"	Cleanup/optimization	new	HTTP handling	5.1	Normal			Saravana	Unreviewed	1	0	0	0	1	0