Opened 8 years ago

Closed 8 years ago

#6514 closed (fixed)

urlize does not escape url correctly

Reported by: Daniel Pope <dan@…> Owned by: nobody
Component: Template system Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

urlize leaves unencoded characters in href attributes. In particular, & must be escaped as &amp; for valid XHTML. I believe unescaped '&'s are also invalid in HTML but HTML parsers are forgiving about this.

From the regression tests, http://example.com/x=&y= is converted to <a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&amp;y=</a>.

It should be converted to <a href="http://example.com/x=&amp;y=" rel="nofollow">http://example.com/x=&amp;y=</a>.

Attachments (4)

urlize.diff (900 bytes) - added by dtulig 8 years ago.
Escapes all ampersands.
6514.diff (6.4 KB) - added by SmileyChris 8 years ago.
6514.2.diff (6.4 KB) - added by SmileyChris 8 years ago.
6514.3.diff (6.9 KB) - added by SmileyChris 8 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from urlize does not escape & characters to urlize does not escape url correctly
  • Triage Stage changed from Unreviewed to Accepted

Changed 8 years ago by dtulig

Escapes all ampersands.

comment:2 Changed 8 years ago by dtulig

  • Has patch set

comment:3 Changed 8 years ago by Daniel Pope <dan@…>

  • Patch needs improvement set

This needs a change to the regression test.

Changed 8 years ago by SmileyChris

Changed 8 years ago by SmileyChris

Changed 8 years ago by SmileyChris

comment:4 Changed 8 years ago by SmileyChris

  • Patch needs improvement unset
  • Triage Stage changed from Accepted to Ready for checkin

Phew! It wasn't doing anything like it should have been doing.

comment:5 Changed 8 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [7079]) Fixed #6279, #6514 -- Fixed some HTML escaping problems in the urlize filter.
Based on a patch from SmileyChris with some test additions from Rob Hudson.
Thanks, both.

Note: See TracTickets for help on using tickets.
Back to Top