Opened 4 months ago
Closed 4 months ago
#36012 closed Bug (fixed)
Urlize incorrectly handles punctuation in email addresses
Description ¶
Several punctuation characters (%, &, +, !, etc.) can—and sometimes do—appear in the local part of an email address (before the @). The urlize template filter doesn't correctly encode them, which can result in broken mailto links.
Example (Django 5.1.4):
from django.template.defaultfilters import urlize urlize("it%dept@example.org") # '<a href="mailto:it%dept@example.org">it%dept@example.org</a>' # Expected: # '<a href="mailto:it%25dept@example.org">it%dept@example.org</a>'
Clicking the resulting mailto link might work as expected, or do nothing, or could launch a mail composer with a missing or incorrect email address, depending on the specific address, browser and email app. Sequences that could also be percent-encoded characters (like "%de" in the example) are especially prone to unpredictable results.
The mailto URI spec RFC 6068 requires percent encoding most punctuation in this situation (section 2, item 1; also see section 5, Encoding).
Proposed fix: apply urllib.parse.quote() to local where the mailto link is constructed in django.utils.html.Urlizer. (Although not strictly necessary, it wouldn't hurt to also quote domain there.)
Change History (5)
comment:1 by , 4 months ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 4 months ago
| Needs tests: | set |
|---|
comment:3 by , 4 months ago
| Needs tests: | unset |
|---|
comment:4 by , 4 months ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:5 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In 322e49b: