id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36012	Urlize incorrectly handles punctuation in email addresses	Mike Edmunds	Mike Edmunds	"Several punctuation characters (''%, &, +, !,'' etc.) can—and sometimes do—appear in the local part of an email address (before the @). The urlize template filter doesn't correctly encode them, which can result in broken mailto links.

Example (Django 5.1.4):

{{{#!python
from django.template.defaultfilters import urlize
urlize(""it%dept@example.org"")
#   '<a href=""mailto:it%dept@example.org"">it%dept@example.org</a>'
# Expected:
#   '<a href=""mailto:it%25dept@example.org"">it%dept@example.org</a>'
}}}

Clicking the resulting mailto link might work as expected, or do nothing, or could launch a mail composer with a missing or incorrect email address, depending on the specific address, browser and email app. Sequences that could also be percent-encoded characters (like ""%de"" in the example) are especially prone to unpredictable results.

The mailto URI spec [https://datatracker.ietf.org/doc/html/rfc6068#section-2:~:text=A%20number%20of,percent%2D%0A%20%20%20%20%20%20%20encoded%3A%20%22%26%22%2C%20%22%3B%22%2C%20and%20%22%3D%22. RFC 6068] requires percent encoding most punctuation in this situation (section 2, item 1; also see section 5, ''Encoding'').

Proposed fix: apply urllib.parse.quote() to `local` where the [https://github.com/django/django/blob/54059125956789ad4c19b77eb7f5cde76eec0643/django/utils/html.py#L360 mailto link is constructed] in django.utils.html.Urlizer. (Although not strictly necessary, it wouldn't hurt to also quote `domain` there.)
"	Bug	closed	Utilities	5.1	Normal	fixed			Ready for checkin	1	0	0	0	0	0