diff options
| author | Claude Paroz <claude@2xlibre.net> | 2015-03-06 21:56:11 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2015-03-06 22:22:51 +0100 |
| commit | ac07890f959c467b3fc9c6dd6d36aafc2eff1fcc (patch) | |
| tree | 06065cdd86c2d2c1413e11c1a57a19f050c7c495 | |
| parent | 823f8cdbc91f85a8ab3cb1ccfec5659037b5c148 (diff) | |
[1.8.x] Fixed urlize regression with entities in query strings
Refs #22267.
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
Backport of ec808e807 from master.
| -rw-r--r-- | django/utils/html.py | 14 | ||||
| -rw-r--r-- | tests/template_tests/filter_tests/test_urlize.py | 8 |
2 files changed, 15 insertions, 7 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index 1cb09357c2..d7ecde64c3 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -290,17 +290,17 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): smart_urlquote. For example: http://example.com?x=1&y=<2> => http://example.com?x=1&y=<2> """ - if not safe_input: - return text, text, trail unescaped = (text + trail).replace( '&', '&').replace('<', '<').replace( '>', '>').replace('"', '"').replace(''', "'") - # ';' in trail can be either trailing punctuation or end-of-entity marker - if unescaped.endswith(';'): - return text, unescaped[:-1], trail - else: + if trail and unescaped.endswith(trail): + # Remove trail for unescaped if it was not consumed by unescape + unescaped = unescaped[:-len(trail)] + elif trail == ';': + # Trail was consumed by unescape (as end-of-entity marker), move it to text text += trail - return text, unescaped, '' + trail = '' + return text, unescaped, trail words = word_split_re.split(force_text(text)) for i, word in enumerate(words): diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py index 716bf9e6f5..1c55d64751 100644 --- a/tests/template_tests/filter_tests/test_urlize.py +++ b/tests/template_tests/filter_tests/test_urlize.py @@ -73,6 +73,14 @@ class UrlizeTests(SimpleTestCase): 'Email me at <<a href="mailto:me@example.com">me@example.com</a>>', ) + @setup({'urlize09': '{% autoescape off %}{{ a|urlize }}{% endautoescape %}'}) + def test_urlize09(self): + output = self.engine.render_to_string('urlize09', {'a': "http://example.com/?x=&y=<2>"}) + self.assertEqual( + output, + '<a href="http://example.com/?x=&y=%3C2%3E" rel="nofollow">http://example.com/?x=&y=<2></a>', + ) + class FunctionTests(SimpleTestCase): |
