Context Navigation

← Previous Ticket
Next Ticket →

#36017 closed Bug (fixed)

Urlize email address allows punctuation in domains

Reported by:	Mike Edmunds	Owned by:	Gregory Mariani
Component:	Utilities	Version:	5.1
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

The urlize template filter incorrectly recognizes domains in email addresses, linkifying punctuation that shouldn't be included in the address:

# Django 5.1.4, Python 3.12.4
from django.template.defaultfilters import urlize
urlize("email me@example.com,then I'll respond")
'email <a href="mailto:me@example.com,then">me@example.com,then</a> I&#x27;ll respond'
urlize("test@example?;+!.com")
'<a href="mailto:test@example?;+!.com">test@example?;+!.com</a>'

The first example should probably stop before the comma. The second example probably shouldn't linkify at all.

Change History (13)

comment:1 by Sarah Boyce, 11 months ago

Triage Stage:	Unreviewed → Accepted

comment:2 by Mike Edmunds, 10 months ago

Possible fix: Urlizer could check that validate_email() would allow the email address before generating a mailto. That would result in it ignoring both of the examples above. (#36014 would need to be fixed first to avoid rejecting some international domains.)

comment:3 by Gregory Mariani, 10 months ago

Owner:	set to Gregory Mariani
Status:	new → assigned

I have done a fix, need to run the CI to validate, first time on this repo for me:
django.utils.html.py

...
    @staticmethod
    def is_email_simple(value):
        """Return True if value looks like an email address."""
        # An @ must be in the middle of the value.
        if "@" not in value or value.startswith("@") or value.endswith("@"):
            return False
        try:
            p1, p2 = value.split("@")
        except ValueError:
            # value contains more than one @.
            return False
        # Max length for domain name labels is 63 characters per RFC 1034.
        # Helps to avoid ReDoS vectors in the domain part.
        if len(p2) > 63:
            return False
        # Dot must be in p2 (e.g. example.com)
        if "." not in p2 or p2.startswith("."):
            return False
        if not validate_email(value):
            return False
        return True

Version 0, edited 10 months ago by Gregory Mariani (next)

comment:4 by Gregory Mariani, 10 months ago

Has patch:	set

comment:5 by Mike Edmunds, 10 months ago

Needs tests:	set

comment:6 by Gregory Mariani, 10 months ago

Needs tests:	unset

Test done and PR validated on PR #18959

Last edited 10 months ago by Mike Edmunds (previous) (diff)

comment:7 by Gregory Mariani, 9 months ago

Triage Stage:	Accepted → Ready for checkin

comment:8 by Sarah Boyce, 9 months ago

Triage Stage:	Ready for checkin → Accepted

comment:9 by Sarah Boyce, 9 months ago

Patch needs improvement:	set

comment:10 by Gregory Mariani, 9 months ago

Patch needs improvement:	unset

@Sarah Boyce who change the triage if someone has already done a review on the PR ?

comment:11 by Sarah Boyce, 9 months ago

Triage Stage:	Accepted → Ready for checkin

comment:12 by Sarah Boyce <42296566+sarahboyce@…>, 9 months ago

Resolution:	→ fixed
Status:	assigned → closed

In 61dae11d:

Fixed #36017 -- Used EmailValidator in urlize to detect emails.

comment:13 by Sarah Boyce <42296566+sarahboyce@…>, 9 months ago

In dab04b89:

[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.

Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues