Fixed #6279, #6514 -- Fixed some HTML escaping problems in the urlize filter. (0c4ea9b9) · Commits · Dom Sekotill / django

django/utils/html.py

+14 −9

Original line number	Diff line number	Diff line
		@@ -102,18 +102,23 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
		if middle.startswith('www.') or ('@' not in middle and not middle.startswith('http://') and \
		len(middle) > 0 and middle[0] in string.ascii_letters + string.digits and \
		(middle.endswith('.org') or middle.endswith('.net') or middle.endswith('.com'))):
		middle = '<a href="http://%s"%s>%s</a>' % (
		urlquote(middle, safe='/&=:;#?+'), nofollow_attr,
		trim_url(middle))
		middle = 'http://%s' % middle
		if middle.startswith('http://') or middle.startswith('https://'):
		middle = '<a href="%s"%s>%s</a>' % (
		urlquote(middle, safe='/&=:;#?+'), nofollow_attr,
		trim_url(middle))
		if '@' in middle and not middle.startswith('www.') and \
		url = urlquote(middle, safe='/&=:;#?+*')
		if autoescape and not safe_input:
		url = escape(url)
		trimmed_url = trim_url(middle)
		middle = '<a href="%s"%s>%s</a>' % (url, nofollow_attr,
		trimmed_url)
		elif '@' in middle and not middle.startswith('www.') and \
		not ':' in middle and simple_email_re.match(middle):
		if autoescape:
		middle = conditional_escape(middle)
		middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
		if lead + middle + trail != word:
		words[i] = lead + middle + trail
		if autoescape and not safe_input:
		lead, trail = escape(lead), escape(trail)
		words[i] = mark_safe('%s%s%s' % (lead, middle, trail))
		elif autoescape and not safe_input:
		words[i] = escape(word)
		elif safe_input:

tests/regressiontests/templates/filters.py

+9 −5

Original line number	Diff line number	Diff line
		@@ -98,8 +98,8 @@ def get_filter_tests():
		'filter-upper01': ('{% autoescape off %}{{ a\|upper }} {{ b\|upper }}{% endautoescape %}', {"a": "a & b", "b": mark_safe("a & b")}, u"A & B A &AMP; B"),
		'filter-upper02': ('{{ a\|upper }} {{ b\|upper }}', {"a": "a & b", "b": mark_safe("a & b")}, u"A & B A &AMP; B"),

		'filter-urlize01': ('{% autoescape off %}{{ a\|urlize }} {{ b\|urlize }}{% endautoescape %}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize02': ('{{ a\|urlize }} {{ b\|urlize }}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize01': ('{% autoescape off %}{{ a\|urlize }} {{ b\|urlize }}{% endautoescape %}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize02': ('{{ a\|urlize }} {{ b\|urlize }}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize03': ('{% autoescape off %}{{ a\|urlize }}{% endautoescape %}', {"a": mark_safe("a & b")}, 'a & b'),
		'filter-urlize04': ('{{ a\|urlize }}', {"a": mark_safe("a & b")}, 'a & b'),

		@@ -108,8 +108,12 @@ def get_filter_tests():
		'filter-urlize05': ('{% autoescape off %}{{ a\|urlize }}{% endautoescape %}', {"a": "<script>alert('foo')</script>"}, "<script>alert('foo')</script>"),
		'filter-urlize06': ('{{ a\|urlize }}', {"a": "<script>alert('foo')</script>"}, '<script>alert('foo')</script>'),

		'filter-urlizetrunc01': ('{% autoescape off %}{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		'filter-urlizetrunc02': ('{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		# mailto: testing for urlize
		'filter-urlize07': ('{{ a\|urlize }}', {"a": "Email me at me@example.com"}, 'Email me at <a href="mailto:me@example.com">me@example.com</a>'),
		'filter-urlize08': ('{{ a\|urlize }}', {"a": "Email me at <me@example.com>"}, 'Email me at <<a href="mailto:me@example.com">me@example.com</a>>'),

		'filter-urlizetrunc01': ('{% autoescape off %}{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		'filter-urlizetrunc02': ('{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),

		'filter-wordcount01': ('{% autoescape off %}{{ a\|wordcount }} {{ b\|wordcount }}{% endautoescape %}', {"a": "a & b", "b": mark_safe("a & b")}, "3 3"),
		'filter-wordcount02': ('{{ a\|wordcount }} {{ b\|wordcount }}', {"a": "a & b", "b": mark_safe("a & b")}, "3 3"),

Original line number	Diff line number	Diff line
		@@ -98,8 +98,8 @@ def get_filter_tests():
		'filter-upper01': ('{% autoescape off %}{{ a\|upper }} {{ b\|upper }}{% endautoescape %}', {"a": "a & b", "b": mark_safe("a & b")}, u"A & B A &AMP; B"),
		'filter-upper02': ('{{ a\|upper }} {{ b\|upper }}', {"a": "a & b", "b": mark_safe("a & b")}, u"A & B A &AMP; B"),

		'filter-urlize01': ('{% autoescape off %}{{ a\|urlize }} {{ b\|urlize }}{% endautoescape %}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize02': ('{{ a\|urlize }} {{ b\|urlize }}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize01': ('{% autoescape off %}{{ a\|urlize }} {{ b\|urlize }}{% endautoescape %}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize02': ('{{ a\|urlize }} {{ b\|urlize }}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
		'filter-urlize03': ('{% autoescape off %}{{ a\|urlize }}{% endautoescape %}', {"a": mark_safe("a & b")}, 'a & b'),
		'filter-urlize04': ('{{ a\|urlize }}', {"a": mark_safe("a & b")}, 'a & b'),

		@@ -108,8 +108,12 @@ def get_filter_tests():
		'filter-urlize05': ('{% autoescape off %}{{ a\|urlize }}{% endautoescape %}', {"a": "<script>alert('foo')</script>"}, "<script>alert('foo')</script>"),
		'filter-urlize06': ('{{ a\|urlize }}', {"a": "<script>alert('foo')</script>"}, '<script>alert('foo')</script>'),

		'filter-urlizetrunc01': ('{% autoescape off %}{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		'filter-urlizetrunc02': ('{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		# mailto: testing for urlize
		'filter-urlize07': ('{{ a\|urlize }}', {"a": "Email me at me@example.com"}, 'Email me at <a href="mailto:me@example.com">me@example.com</a>'),
		'filter-urlize08': ('{{ a\|urlize }}', {"a": "Email me at <me@example.com>"}, 'Email me at <<a href="mailto:me@example.com">me@example.com</a>>'),

		'filter-urlizetrunc01': ('{% autoescape off %}{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
		'filter-urlizetrunc02': ('{{ a\|urlizetrunc:"8" }} {{ b\|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('"Safe" http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> "Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),

		'filter-wordcount01': ('{% autoescape off %}{{ a\|wordcount }} {{ b\|wordcount }}{% endautoescape %}', {"a": "a & b", "b": mark_safe("a & b")}, "3 3"),
		'filter-wordcount02': ('{{ a\|wordcount }} {{ b\|wordcount }}', {"a": "a & b", "b": mark_safe("a & b")}, "3 3"),