summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAhmed Nassar <a.moh.nassar00@gmail.com>2025-03-08 16:35:10 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2025-03-19 14:28:42 +0100
commitec7044c706f48f5ab3d9e4c35e4078b9f9dcaaf2 (patch)
tree728764e3cac25453c9936eaae272cc3cc019a017
parented1e7c02c9db2cc28b3ab5621ce6315fcee54b27 (diff)
Fixed #36000 -- Deprecated HTTP as the default protocol in urlize and urlizetrunc.
Diffstat
-rw-r--r--django/conf/global_settings.py5
-rw-r--r--django/utils/html.py22
-rw-r--r--docs/internals/deprecation.txt5
-rw-r--r--docs/ref/settings.txt16
-rw-r--r--docs/ref/templates/builtins.txt40
-rw-r--r--docs/releases/6.0.txt7
-rw-r--r--tests/template_tests/filter_tests/test_urlize.py52
-rw-r--r--tests/template_tests/filter_tests/test_urlizetrunc.py8
-rw-r--r--tests/utils_tests/test_html.py24
9 files changed, 141 insertions, 38 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 536bbb7c45..672c46b88f 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -662,3 +662,8 @@ SECURE_REDIRECT_EXEMPT = []
SECURE_REFERRER_POLICY = "same-origin"
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False
+
+# RemovedInDjango70Warning: A transitional setting helpful in early adoption of
+# HTTPS as the default protocol in urlize and urlizetrunc when no protocol is
+# provided. Set to True to assume HTTPS during the Django 6.x release cycle.
+URLIZE_ASSUME_HTTPS = False
diff --git a/django/utils/html.py b/django/utils/html.py
index 182b7d4cec..a9d029165f 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -3,12 +3,15 @@
import html
import json
import re
+import warnings
from collections.abc import Mapping
from html.parser import HTMLParser
from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
+from django.conf import settings
from django.core.exceptions import SuspiciousOperation, ValidationError
from django.core.validators import EmailValidator
+from django.utils.deprecation import RemovedInDjango70Warning
from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
from django.utils.regex_helper import _lazy_re_compile
@@ -343,7 +346,24 @@ class Urlizer:
if len(middle) <= MAX_URL_LENGTH and self.simple_url_re.match(middle):
url = smart_urlquote(html.unescape(middle))
elif len(middle) <= MAX_URL_LENGTH and self.simple_url_2_re.match(middle):
- url = smart_urlquote("http://%s" % html.unescape(middle))
+ unescaped_middle = html.unescape(middle)
+ # RemovedInDjango70Warning: When the deprecation ends, replace with:
+ # url = smart_urlquote(f"https://{unescaped_middle}")
+ protocol = (
+ "https"
+ if getattr(settings, "URLIZE_ASSUME_HTTPS", False)
+ else "http"
+ )
+ if not settings.URLIZE_ASSUME_HTTPS:
+ warnings.warn(
+ "The default protocol will be changed from HTTP to "
+ "HTTPS in Django 7.0. Set the URLIZE_ASSUME_HTTPS "
+ "transitional setting to True to opt into using HTTPS as the "
+ "new default protocol.",
+ RemovedInDjango70Warning,
+ stacklevel=2,
+ )
+ url = smart_urlquote(f"{protocol}://{unescaped_middle}")
elif ":" not in middle and self.is_email_simple(middle):
local, domain = middle.rsplit("@", 1)
# Encode per RFC 6068 Section 2 (items 1, 4, 5). Defer any IDNA
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 15a44e78e4..1ac2c291e0 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -23,6 +23,11 @@ details on these changes.
* The ``django.contrib.postgres.aggregates.mixins.OrderableAggMixin`` class
will be removed.
+* The default protocol in ``urlize`` and ``urlizetrunc`` template filters will
+ change from HTTP to HTTPS.
+
+* The ``URLIZE_ASSUME_HTTPS`` transitional setting will be removed.
+
.. _deprecation-removed-in-6.1:
6.1
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 556cbb4b1e..ab82b539b0 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2955,6 +2955,21 @@ enabled if a proxy which sets this header is in use.
:setting:`USE_X_FORWARDED_HOST` takes priority over this setting.
+.. setting:: URLIZE_ASSUME_HTTPS
+
+``URLIZE_ASSUME_HTTPS``
+-----------------------
+
+.. versionadded:: 6.0
+.. deprecated:: 6.0
+
+Default: ``False``
+
+Set this transitional setting to ``True`` to opt into using HTTPS as the
+default protocol when none is provided in URLs processed by the
+:tfilter:`urlize` and :tfilter:`urlizetrunc` template filters during the Django
+6.x release cycle.
+
.. setting:: WSGI_APPLICATION
``WSGI_APPLICATION``
@@ -3766,6 +3781,7 @@ Security
* :setting:`SECRET_KEY`
* :setting:`SECRET_KEY_FALLBACKS`
+* :setting:`URLIZE_ASSUME_HTTPS`
* :setting:`X_FRAME_OPTIONS`
Serialization
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 247f5e9890..f5470ad0eb 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2905,9 +2905,23 @@ For example:
{{ value|urlize }}
-If ``value`` is ``"Check out www.djangoproject.com"``, the output will be
-``"Check out <a href="http://www.djangoproject.com"
-rel="nofollow">www.djangoproject.com</a>"``.
+If ``value`` is ``"Check out www.djangoproject.com"``, the output will be:
+
+.. code-block:: html+django
+
+ Check out <a href="http://www.djangoproject.com" rel="nofollow">www.djangoproject.com</a>
+
+.. deprecated:: 6.0
+
+ The default protocol when none is provided will change from HTTP to HTTPS
+ in Django 7.0. Hence, the output will become:
+
+ .. code-block:: html+django
+
+ Check out <a href="https://www.djangoproject.com" rel="nofollow">www.djangoproject.com</a>
+
+ Set the transitional setting :setting:`URLIZE_ASSUME_HTTPS` to ``True`` to
+ opt into using HTTPS during the Django 6.x release cycle.
In addition to web links, ``urlize`` also converts email addresses into
``mailto:`` links. If ``value`` is
@@ -2942,9 +2956,23 @@ For example:
{{ value|urlizetrunc:15 }}
-If ``value`` is ``"Check out www.djangoproject.com"``, the output would be
-``'Check out <a href="http://www.djangoproject.com"
-rel="nofollow">www.djangoproj…</a>'``.
+If ``value`` is ``"Check out www.djangoproject.com"``, the output would be:
+
+.. code-block:: html+django
+
+ Check out <a href="http://www.djangoproject.com" rel="nofollow">www.djangoproj…</a>
+
+.. deprecated:: 6.0
+
+ The default protocol when none is provided will change from HTTP to HTTPS
+ in Django 7.0. Hence, the output will become:
+
+ .. code-block:: html+django
+
+ Check out <a href="https://www.djangoproject.com" rel="nofollow">www.djangoproj…</a>
+
+ Set the transitional setting :setting:`URLIZE_ASSUME_HTTPS` to ``True`` to
+ opt into using HTTPS during the Django 6.x release cycle.
As with urlize_, this filter should only be applied to plain text.
diff --git a/docs/releases/6.0.txt b/docs/releases/6.0.txt
index c604638deb..2cbab2dace 100644
--- a/docs/releases/6.0.txt
+++ b/docs/releases/6.0.txt
@@ -321,6 +321,13 @@ Miscellaneous
* The PostgreSQL ``OrderableAggMixin`` is deprecated in favor of the
``order_by`` attribute now available on the ``Aggregate`` class.
+* The default protocol in :tfilter:`urlize` and :tfilter:`urlizetrunc` will
+ change from HTTP to HTTPS in Django 7.0. Set the transitional setting
+ ``URLIZE_ASSUME_HTTPS`` to ``True`` to opt into assuming HTTPS during the
+ Django 6.x release cycle.
+
+* ``URLIZE_ASSUME_HTTPS`` transitional setting is deprecated.
+
Features removed in 6.0
=======================
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index c186acd948..043029c8dc 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -2,6 +2,7 @@ from unittest import mock
from django.template.defaultfilters import urlize
from django.test import SimpleTestCase
+from django.test.utils import override_settings
from django.utils.functional import lazy
from django.utils.html import Urlizer
from django.utils.safestring import mark_safe
@@ -109,6 +110,7 @@ class UrlizeTests(SimpleTestCase):
)
+@override_settings(URLIZE_ASSUME_HTTPS=True)
class FunctionTests(SimpleTestCase):
def test_urls(self):
self.assertEqual(
@@ -121,15 +123,16 @@ class FunctionTests(SimpleTestCase):
)
self.assertEqual(
urlize("www.google.com"),
- '<a href="http://www.google.com" rel="nofollow">www.google.com</a>',
+ '<a href="https://www.google.com" rel="nofollow">www.google.com</a>',
)
self.assertEqual(
urlize("djangoproject.org"),
- '<a href="http://djangoproject.org" rel="nofollow">djangoproject.org</a>',
+ '<a href="https://djangoproject.org" rel="nofollow">djangoproject.org</a>',
)
self.assertEqual(
urlize("djangoproject.org/"),
- '<a href="http://djangoproject.org/" rel="nofollow">djangoproject.org/</a>',
+ '<a href="https://djangoproject.org/" rel="nofollow">'
+ "djangoproject.org/</a>",
)
def test_url_split_chars(self):
@@ -137,21 +140,21 @@ class FunctionTests(SimpleTestCase):
# part of URLs.
self.assertEqual(
urlize('www.server.com"abc'),
- '<a href="http://www.server.com" rel="nofollow">www.server.com</a>&quot;'
+ '<a href="https://www.server.com" rel="nofollow">www.server.com</a>&quot;'
"abc",
)
self.assertEqual(
urlize("www.server.com'abc"),
- '<a href="http://www.server.com" rel="nofollow">www.server.com</a>&#x27;'
+ '<a href="https://www.server.com" rel="nofollow">www.server.com</a>&#x27;'
"abc",
)
self.assertEqual(
urlize("www.server.com<abc"),
- '<a href="http://www.server.com" rel="nofollow">www.server.com</a>&lt;abc',
+ '<a href="https://www.server.com" rel="nofollow">www.server.com</a>&lt;abc',
)
self.assertEqual(
urlize("www.server.com>abc"),
- '<a href="http://www.server.com" rel="nofollow">www.server.com</a>&gt;abc',
+ '<a href="https://www.server.com" rel="nofollow">www.server.com</a>&gt;abc',
)
def test_email(self):
@@ -184,7 +187,7 @@ class FunctionTests(SimpleTestCase):
def test_urlencoded(self):
self.assertEqual(
urlize("www.mystore.com/30%OffCoupons!"),
- '<a href="http://www.mystore.com/30%25OffCoupons" rel="nofollow">'
+ '<a href="https://www.mystore.com/30%25OffCoupons" rel="nofollow">'
"www.mystore.com/30%OffCoupons</a>!",
)
self.assertEqual(
@@ -222,7 +225,7 @@ class FunctionTests(SimpleTestCase):
self.assertEqual(
urlize("foo@bar.com or www.bar.com"),
'<a href="mailto:foo@bar.com">foo@bar.com</a> or '
- '<a href="http://www.bar.com" rel="nofollow">www.bar.com</a>',
+ '<a href="https://www.bar.com" rel="nofollow">www.bar.com</a>',
)
def test_idn(self):
@@ -236,11 +239,11 @@ class FunctionTests(SimpleTestCase):
)
self.assertEqual(
urlize("www.c✶.ws"),
- '<a href="http://www.c%E2%9C%B6.ws" rel="nofollow">www.c✶.ws</a>',
+ '<a href="https://www.c%E2%9C%B6.ws" rel="nofollow">www.c✶.ws</a>',
)
self.assertEqual(
urlize("c✶.org"),
- '<a href="http://c%E2%9C%B6.org" rel="nofollow">c✶.org</a>',
+ '<a href="https://c%E2%9C%B6.org" rel="nofollow">c✶.org</a>',
)
self.assertEqual(
urlize("info@c✶.org"),
@@ -250,12 +253,12 @@ class FunctionTests(SimpleTestCase):
# Pre-encoded IDNA is urlized but not re-encoded.
self.assertEqual(
urlize("www.xn--iny-zx5a.com/idna2003"),
- '<a href="http://www.xn--iny-zx5a.com/idna2003"'
+ '<a href="https://www.xn--iny-zx5a.com/idna2003"'
' rel="nofollow">www.xn--iny-zx5a.com/idna2003</a>',
)
self.assertEqual(
urlize("www.xn--fa-hia.com/idna2008"),
- '<a href="http://www.xn--fa-hia.com/idna2008"'
+ '<a href="https://www.xn--fa-hia.com/idna2008"'
' rel="nofollow">www.xn--fa-hia.com/idna2008</a>',
)
@@ -272,7 +275,7 @@ class FunctionTests(SimpleTestCase):
#16656 - Check urlize accepts more TLDs
"""
self.assertEqual(
- urlize("usa.gov"), '<a href="http://usa.gov" rel="nofollow">usa.gov</a>'
+ urlize("usa.gov"), '<a href="https://usa.gov" rel="nofollow">usa.gov</a>'
)
def test_invalid_email(self):
@@ -351,11 +354,12 @@ class FunctionTests(SimpleTestCase):
"""
self.assertEqual(
urlize("[see www.example.com]"),
- '[see <a href="http://www.example.com" rel="nofollow">www.example.com</a>]',
+ '[see <a href="https://www.example.com" rel="nofollow">'
+ "www.example.com</a>]",
)
self.assertEqual(
urlize("see test[at[example.com"),
- 'see <a href="http://test[at[example.com" rel="nofollow">'
+ 'see <a href="https://test[at[example.com" rel="nofollow">'
"test[at[example.com</a>",
)
self.assertEqual(
@@ -443,22 +447,22 @@ class FunctionTests(SimpleTestCase):
"""
self.assertEqual(
urlize("Go to djangoproject.com! and enjoy."),
- 'Go to <a href="http://djangoproject.com" rel="nofollow">djangoproject.com'
+ 'Go to <a href="https://djangoproject.com" rel="nofollow">djangoproject.com'
"</a>! and enjoy.",
)
self.assertEqual(
urlize("Search for google.com/?q=! and see."),
- 'Search for <a href="http://google.com/?q=" rel="nofollow">google.com/?q='
+ 'Search for <a href="https://google.com/?q=" rel="nofollow">google.com/?q='
"</a>! and see.",
)
self.assertEqual(
urlize("Search for google.com/?q=dj!`? and see."),
- 'Search for <a href="http://google.com/?q=dj%21%60%3F" rel="nofollow">'
+ 'Search for <a href="https://google.com/?q=dj%21%60%3F" rel="nofollow">'
"google.com/?q=dj!`?</a> and see.",
)
self.assertEqual(
urlize("Search for google.com/?q=dj!`?! and see."),
- 'Search for <a href="http://google.com/?q=dj%21%60%3F" rel="nofollow">'
+ 'Search for <a href="https://google.com/?q=dj%21%60%3F" rel="nofollow">'
"google.com/?q=dj!`?</a>! and see.",
)
@@ -468,14 +472,14 @@ class FunctionTests(SimpleTestCase):
def test_autoescape(self):
self.assertEqual(
urlize('foo<a href=" google.com ">bar</a>buz'),
- 'foo&lt;a href=&quot; <a href="http://google.com" rel="nofollow">google.com'
- "</a> &quot;&gt;bar&lt;/a&gt;buz",
+ 'foo&lt;a href=&quot; <a href="https://google.com" rel="nofollow">'
+ "google.com</a> &quot;&gt;bar&lt;/a&gt;buz",
)
def test_autoescape_off(self):
self.assertEqual(
urlize('foo<a href=" google.com ">bar</a>buz', autoescape=False),
- 'foo<a href=" <a href="http://google.com" rel="nofollow">google.com</a> ">'
+ 'foo<a href=" <a href="https://google.com" rel="nofollow">google.com</a> ">'
"bar</a>buz",
)
@@ -483,7 +487,7 @@ class FunctionTests(SimpleTestCase):
prepend_www = lazy(lambda url: "www." + url, str)
self.assertEqual(
urlize(prepend_www("google.com")),
- '<a href="http://www.google.com" rel="nofollow">www.google.com</a>',
+ '<a href="https://www.google.com" rel="nofollow">www.google.com</a>',
)
@mock.patch.object(Urlizer, "handle_word", return_value="test")
diff --git a/tests/template_tests/filter_tests/test_urlizetrunc.py b/tests/template_tests/filter_tests/test_urlizetrunc.py
index 752ee3571e..df8c4efa79 100644
--- a/tests/template_tests/filter_tests/test_urlizetrunc.py
+++ b/tests/template_tests/filter_tests/test_urlizetrunc.py
@@ -1,5 +1,6 @@
from django.template.defaultfilters import urlizetrunc
from django.test import SimpleTestCase
+from django.test.utils import override_settings
from django.utils.safestring import mark_safe
from ..utils import setup
@@ -48,6 +49,7 @@ class UrlizetruncTests(SimpleTestCase):
)
+@override_settings(URLIZE_ASSUME_HTTPS=True)
class FunctionTests(SimpleTestCase):
def test_truncate(self):
uri = "http://31characteruri.com/test/"
@@ -93,13 +95,13 @@ class FunctionTests(SimpleTestCase):
def test_autoescape(self):
self.assertEqual(
urlizetrunc('foo<a href=" google.com ">bar</a>buz', 10),
- 'foo&lt;a href=&quot; <a href="http://google.com" rel="nofollow">google.com'
- "</a> &quot;&gt;bar&lt;/a&gt;buz",
+ 'foo&lt;a href=&quot; <a href="https://google.com" rel="nofollow">'
+ "google.com</a> &quot;&gt;bar&lt;/a&gt;buz",
)
def test_autoescape_off(self):
self.assertEqual(
urlizetrunc('foo<a href=" google.com ">bar</a>buz', 9, autoescape=False),
- 'foo<a href=" <a href="http://google.com" rel="nofollow">google.c…</a> ">'
+ 'foo<a href=" <a href="https://google.com" rel="nofollow">google.c…</a> ">'
"bar</a>buz",
)
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 4db3816c72..88e77a3c82 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -4,6 +4,8 @@ from datetime import datetime
from django.core.exceptions import SuspiciousOperation
from django.core.serializers.json import DjangoJSONEncoder
from django.test import SimpleTestCase
+from django.test.utils import override_settings
+from django.utils.deprecation import RemovedInDjango70Warning
from django.utils.functional import lazystr
from django.utils.html import (
conditional_escape,
@@ -22,6 +24,7 @@ from django.utils.html import (
from django.utils.safestring import mark_safe
+@override_settings(URLIZE_ASSUME_HTTPS=True)
class TestUtilsHtml(SimpleTestCase):
def check_output(self, function, value, output=None):
"""
@@ -369,17 +372,17 @@ class TestUtilsHtml(SimpleTestCase):
tests = (
(
"Search for google.com/?q=! and see.",
- 'Search for <a href="http://google.com/?q=">google.com/?q=</a>! and '
+ 'Search for <a href="https://google.com/?q=">google.com/?q=</a>! and '
"see.",
),
(
"Search for google.com/?q=1&lt! and see.",
- 'Search for <a href="http://google.com/?q=1%3C">google.com/?q=1&lt'
+ 'Search for <a href="https://google.com/?q=1%3C">google.com/?q=1&lt'
"</a>! and see.",
),
(
lazystr("Search for google.com/?q=!"),
- 'Search for <a href="http://google.com/?q=">google.com/?q=</a>!',
+ 'Search for <a href="https://google.com/?q=">google.com/?q=</a>!',
),
(
"http://www.foo.bar/",
@@ -388,7 +391,7 @@ class TestUtilsHtml(SimpleTestCase):
(
"Look on www.نامه‌ای.com.",
"Look on <a "
- 'href="http://www.%D9%86%D8%A7%D9%85%D9%87%E2%80%8C%D8%A7%DB%8C.com"'
+ 'href="https://www.%D9%86%D8%A7%D9%85%D9%87%E2%80%8C%D8%A7%DB%8C.com"'
">www.نامه‌ای.com</a>.",
),
("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'),
@@ -422,6 +425,19 @@ class TestUtilsHtml(SimpleTestCase):
with self.subTest(value=value):
self.assertEqual(urlize(value), output)
+ @override_settings(URLIZE_ASSUME_HTTPS=False)
+ def test_urlize_http_default_warning(self):
+ msg = (
+ "The default protocol will be changed from HTTP to HTTPS in Django 7.0. "
+ "Set the URLIZE_ASSUME_HTTPS transitional setting to True to opt into "
+ "using HTTPS as the new default protocol."
+ )
+ with self.assertWarnsMessage(RemovedInDjango70Warning, msg):
+ self.assertEqual(
+ urlize("Visit example.com"),
+ 'Visit <a href="http://example.com">example.com</a>',
+ )
+
def test_urlize_unchanged_inputs(self):
tests = (
("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 23:46:49 +0000