diff options
| author | Tim Graham <timograham@gmail.com> | 2015-03-10 18:40:33 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-10 18:58:34 -0400 |
| commit | 7b1a67cce52e5c191fbfa1bca501c6f0222db019 (patch) | |
| tree | b2c69097c92a1ffef7e49f9aecc71b004bf4c2f9 /django/utils/html.py | |
| parent | 57d42aef97eb8fa45584f2e863ccfa2b7c98d4b7 (diff) | |
Fixed escaping regression in urlize filter.
Now that the URL is always unescaped as of refs #22267,
we should re-escape it before inserting it into the anchor.
Diffstat (limited to 'django/utils/html.py')
| -rw-r--r-- | django/utils/html.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index 63a895b432..779155e88c 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -337,7 +337,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): if autoescape and not safe_input: lead, trail = escape(lead), escape(trail) trimmed = escape(trimmed) - middle = '<a href="%s"%s>%s</a>' % (url, nofollow_attr, trimmed) + middle = '<a href="%s"%s>%s</a>' % (escape(url), nofollow_attr, trimmed) words[i] = mark_safe('%s%s%s' % (lead, middle, trail)) else: if safe_input: |