Corrected HTML-escaping behaviour of url template tag.

Due to the URL encoding applied by the tag for all parameters that might be
partly controllable by an end-user, there are no XSS/security problems
caused by this bug, only invalid HTML.

1 files changed, 10 insertions, 1 deletions

diff --git a/tests/template_tests/syntax_tests/test_url.py b/tests/template_tests/syntax_tests/test_url.py
index d593591480..91ed8affb7 100644
--- a/tests/template_tests/syntax_tests/test_url.py
+++ b/tests/template_tests/syntax_tests/test_url.py
@@ -95,7 +95,7 @@ class UrlTagTests(SimpleTestCase):
     @ignore_warnings(category=RemovedInDjango110Warning)
     def test_url12(self):
         output = self.engine.render_to_string('url12', {'client': {'id': 1}})
-        self.assertEqual(output, '/client/1/!$&\'()*+,;=~:@,/')
+        self.assertEqual(output, '/client/1/!$&'()*+,;=~:@,/')
 
     @ignore_warnings(category=RemovedInDjango110Warning)
     @setup({'url13': '{% url "template_tests.views.client_action" '
@@ -133,6 +133,15 @@ class UrlTagTests(SimpleTestCase):
         output = self.engine.render_to_string('url20', {'client': {'id': 1}, 'url_name_in_var': 'named.client'})
         self.assertEqual(output, '/named-client/1/')
 
+    @setup({'url21': '{% autoescape off %}'
+                     '{% url "template_tests.views.client_action" '
+                     'id=client.id action="!$&\'()*+,;=~:@," %}'
+                     '{% endautoescape %}'})
+    @ignore_warnings(category=RemovedInDjango110Warning)
+    def test_url21(self):
+        output = self.engine.render_to_string('url21', {'client': {'id': 1}})
+        self.assertEqual(output, '/client/1/!$&\'()*+,;=~:@,/')
+
     # Failures
     @setup({'url-fail01': '{% url %}'})
     def test_url_fail01(self):