summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2014-06-26 21:14:30 +0200
committerClaude Paroz <claude@2xlibre.net>2014-09-09 21:58:07 +0200
commit4b8a1d2c0d1a8c5107f3aef01597db78d2a2a5ce (patch)
treef23e274b5f112fadf6f4df992db65c8c91a73083
parent9562ffea9719f2b1795e676718c6d433a1f8d4ed (diff)
Fixed #22267 -- Fixed unquote/quote in smart_urlquote
Thanks Md. Enzam Hossain for the report and initial patch, and Tim Graham for the review.
-rw-r--r--django/utils/html.py37
-rw-r--r--tests/utils_tests/test_html.py6
2 files changed, 30 insertions, 13 deletions
diff --git a/django/utils/html.py b/django/utils/html.py
index 58165ff84c..6eed0b0192 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -12,7 +12,7 @@ from django.utils.functional import allow_lazy
from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
from django.utils.safestring import SafeData, mark_safe
from django.utils import six
-from django.utils.six.moves.urllib.parse import quote, unquote, urlsplit, urlunsplit
+from django.utils.six.moves.urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
from django.utils.text import normalize_newlines
from .html_parser import HTMLParser, HTMLParseError
@@ -218,25 +218,38 @@ strip_entities = allow_lazy(strip_entities, six.text_type)
def smart_urlquote(url):
"Quotes a URL if it isn't already quoted."
+ def unquote_quote(segment):
+ segment = unquote(force_str(segment))
+ # Tilde is part of RFC3986 Unreserved Characters
+ # http://tools.ietf.org/html/rfc3986#section-2.3
+ # See also http://bugs.python.org/issue16285
+ segment = quote(segment, safe=RFC3986_SUBDELIMS + RFC3986_GENDELIMS + str('~'))
+ return force_text(segment)
+
# Handle IDN before quoting.
try:
scheme, netloc, path, query, fragment = urlsplit(url)
- try:
- netloc = netloc.encode('idna').decode('ascii') # IDN -> ACE
- except UnicodeError: # invalid domain part
- pass
- else:
- url = urlunsplit((scheme, netloc, path, query, fragment))
except ValueError:
# invalid IPv6 URL (normally square brackets in hostname part).
- pass
+ return unquote_quote(url)
+
+ try:
+ netloc = netloc.encode('idna').decode('ascii') # IDN -> ACE
+ except UnicodeError: # invalid domain part
+ return unquote_quote(url)
- url = unquote(force_str(url))
- # See http://bugs.python.org/issue2637
- url = quote(url, safe=RFC3986_SUBDELIMS + RFC3986_GENDELIMS + str('~'))
+ if query:
+ # Separately unquoting key/value, so as to not mix querystring separators
+ # included in query values. See #22267.
+ query_parts = [(unquote(force_str(q[0])), unquote(force_str(q[1])))
+ for q in parse_qsl(query, keep_blank_values=True)]
+ # urlencode will take care of quoting
+ query = urlencode(query_parts)
- return force_text(url)
+ path = unquote_quote(path)
+ fragment = unquote_quote(fragment)
+ return urlunsplit((scheme, netloc, path, query, fragment))
def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
"""
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index d08eb0be2b..374628dc0c 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -173,7 +173,11 @@ class TestUtilsHtml(TestCase):
# Ensure that everything unsafe is quoted, !*'();:@&=+$,/?#[]~ is considered safe as per RFC
self.assertEqual(quote('http://example.com/path/öäü/'), 'http://example.com/path/%C3%B6%C3%A4%C3%BC/')
self.assertEqual(quote('http://example.com/%C3%B6/ä/'), 'http://example.com/%C3%B6/%C3%A4/')
- self.assertEqual(quote('http://example.com/?x=1&y=2'), 'http://example.com/?x=1&y=2')
+ self.assertEqual(quote('http://example.com/?x=1&y=2+3&z='), 'http://example.com/?x=1&y=2+3&z=')
+ self.assertEqual(quote('http://example.com/?q=http://example.com/?x=1%26q=django'),
+ 'http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango')
+ self.assertEqual(quote('http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango'),
+ 'http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango')
def test_conditional_escape(self):
s = '<h1>interop</h1>'