diff options
| author | Claude Paroz <claude@2xlibre.net> | 2015-03-06 21:56:11 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2015-03-06 22:20:14 +0100 |
| commit | ec808e807ad711b993f199f6b4165ac6d0e1125b (patch) | |
| tree | 8a76a9169f1a3da7d0915332b2a3c6f34422eb0f | |
| parent | ceaf31adfff3801f1092a215f73704e15a70e90c (diff) | |
Fixed urlize regression with entities in query strings
Refs #22267.
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
| -rw-r--r-- | django/utils/html.py | 14 | ||||
| -rw-r--r-- | tests/template_tests/filter_tests/test_urlize.py | 8 |
2 files changed, 15 insertions, 7 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index 569ac74e96..63a895b432 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -282,17 +282,17 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): smart_urlquote. For example: http://example.com?x=1&y=<2> => http://example.com?x=1&y=<2> """ - if not safe_input: - return text, text, trail unescaped = (text + trail).replace( '&', '&').replace('<', '<').replace( '>', '>').replace('"', '"').replace(''', "'") - # ';' in trail can be either trailing punctuation or end-of-entity marker - if unescaped.endswith(';'): - return text, unescaped[:-1], trail - else: + if trail and unescaped.endswith(trail): + # Remove trail for unescaped if it was not consumed by unescape + unescaped = unescaped[:-len(trail)] + elif trail == ';': + # Trail was consumed by unescape (as end-of-entity marker), move it to text text += trail - return text, unescaped, '' + trail = '' + return text, unescaped, trail words = word_split_re.split(force_text(text)) for i, word in enumerate(words): diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py index 716bf9e6f5..1c55d64751 100644 --- a/tests/template_tests/filter_tests/test_urlize.py +++ b/tests/template_tests/filter_tests/test_urlize.py @@ -73,6 +73,14 @@ class UrlizeTests(SimpleTestCase): 'Email me at <<a href="mailto:me@example.com">me@example.com</a>>', ) + @setup({'urlize09': '{% autoescape off %}{{ a|urlize }}{% endautoescape %}'}) + def test_urlize09(self): + output = self.engine.render_to_string('urlize09', {'a': "http://example.com/?x=&y=<2>"}) + self.assertEqual( + output, + '<a href="http://example.com/?x=&y=%3C2%3E" rel="nofollow">http://example.com/?x=&y=<2></a>', + ) + class FunctionTests(SimpleTestCase): |
