Opened 16 years ago

Closed 16 years ago

#6514 closed (fixed)

urlize does not escape url correctly

Reported by: Daniel Pope <dan@…> Owned by: nobody
Component: Template system Version: dev
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

urlize leaves unencoded characters in href attributes. In particular, & must be escaped as &amp; for valid XHTML. I believe unescaped '&'s are also invalid in HTML but HTML parsers are forgiving about this.

From the regression tests, http://example.com/x=&y= is converted to <a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&amp;y=</a>.

It should be converted to <a href="http://example.com/x=&amp;y=" rel="nofollow">http://example.com/x=&amp;y=</a>.

Attachments (4)

urlize.diff (900 bytes ) - added by David Tulig 16 years ago.
Escapes all ampersands.
6514.diff (6.4 KB ) - added by Chris Beaven 16 years ago.
6514.2.diff (6.4 KB ) - added by Chris Beaven 16 years ago.
6514.3.diff (6.9 KB ) - added by Chris Beaven 16 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Chris Beaven, 16 years ago

Summary: urlize does not escape & charactersurlize does not escape url correctly
Triage Stage: UnreviewedAccepted

by David Tulig, 16 years ago

Attachment: urlize.diff added

Escapes all ampersands.

comment:2 by David Tulig, 16 years ago

Has patch: set

comment:3 by Daniel Pope <dan@…>, 16 years ago

Patch needs improvement: set

This needs a change to the regression test.

by Chris Beaven, 16 years ago

Attachment: 6514.diff added

by Chris Beaven, 16 years ago

Attachment: 6514.2.diff added

by Chris Beaven, 16 years ago

Attachment: 6514.3.diff added

comment:4 by Chris Beaven, 16 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

Phew! It wasn't doing anything like it should have been doing.

comment:5 by Malcolm Tredinnick, 16 years ago

Resolution: fixed
Status: newclosed

(In [7079]) Fixed #6279, #6514 -- Fixed some HTML escaping problems in the urlize filter.
Based on a patch from SmileyChris with some test additions from Rob Hudson.
Thanks, both.

Note: See TracTickets for help on using tickets.
Back to Top