urlize filter mangling encoding in URLs

philgyford · July 12, 2024, 6:02pm

If I put this in a Django template:

{{ "https://example.com/data=https:%2F%2Ffoo.org%2F"|urlize }}

then it generates this HTML (line breaks and indentation added for readability):

<a href="https://example.com/data=https://foo.org/" rel="nofollow">
  https://example.com/data=https:%2F%2Ffoo.org%2F
</a>

As you can see it changes any encoded %2F into a /.

I realise you’d usually put this kind of stuff in GET args, but sites like Google Street View have URLs like that, e.g. https://www.google.com/maps/@51.4617759,-0.1456679,3a,75y,327.01h,88.41t/data=!3m7!1e1!3m5!1sCShFitAntdbZQpjV4_T-pA!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fpanoid%3DCShFitAntdbZQpjV4_T-pA%26cb_client%3Dmaps_sv.share%26w%3D900%26h%3D600%26yaw%3D327.01%26pitch%3D1.5900000000000034%26thumbfov%3D90!7i16384!8i8192?coh=205410&entry=ttu

And using the urlize filter on that mangles the URL.

I wonder if this is either a bug or a security feature? Is there a safe way around it, for rendering links to user-submitted URLs?

white-seolpyo · July 13, 2024, 12:01am

Are you sure you wrote the url correctly?

Where is the question mark??

https://example.com/data=https:%2F%2Ffoo.org%2F
=>
https://example.com/?data=https:%2F%2Ffoo.org%2F

KenWhitesell · July 13, 2024, 12:14am

The question mark is about 25 characters before the end. The only query data provided in the request is “coh=205410&entry=ttu”.
The rest of that text is all part of the url.

philgyford · July 13, 2024, 11:28am

As @KenWhitesell said, yes that url is correct. Weird and annoying, but correct.

white-seolpyo · July 14, 2024, 5:29am

I think this is an intentional conversion.
If you don’t want this, you have to write your own template filter or create the a tag in some other way.

urlize uses Urlizer.

github.com

django/django/blob/main/django/utils/html.py#L270


      
          class CountsDict(dict):
              def __init__(self, *args, word, **kwargs):
                  super().__init__(*args, *kwargs)
                  self.word = word
          
              def __missing__(self, key):
                  self[key] = self.word.count(key)
                  return self[key]
          
          
          class Urlizer:
              """
              Convert any URLs in text into clickable links.
          
              Work on http://, https://, www. links, and also on links ending in one of
              the original seven gTLDs (.com, .edu, .gov, .int, .mil, .net, and .org).
              Links can have trailing punctuation (periods, commas, close-parens) and
              leading punctuation (opening parens) and it'll still do the right thing.
              """
          
              trailing_punctuation_chars = ".,:;!"

And Urlizer uses smart_urlquote, where unquote is used.

github.com

django/django/blob/main/django/utils/html.py#L223


      
                  value = new_value
              return value
          
          
          @keep_lazy_text
          def strip_spaces_between_tags(value):
              """Return the given HTML with spaces between tags removed."""
              return re.sub(r">\s+<", "><", str(value))
          
          
          def smart_urlquote(url):
              """Quote a URL if it isn't already quoted."""
          
              def unquote_quote(segment):
                  segment = unquote(segment)
                  # Tilde is part of RFC 3986 Section 2.3 Unreserved Characters,
                  # see also https://bugs.python.org/issue16285
                  return quote(segment, safe=RFC3986_SUBDELIMS + RFC3986_GENDELIMS + "~")
          
              # Handle IDN before quoting.
              try:

Topic		Replies	Views
Add Css Class to urlize Templates & Frontend	10	822	March 21, 2022
encodeURIComponent is not honouring forwards slashes Templates & Frontend	5	1226	September 16, 2023
Make profile page with username in link (SOLVED) Using Django	5	3841	June 3, 2021
How to decode a https response url in django Getting Started	27	1016	February 3, 2024
Should "reverse" urlencode its args/kwargs? Django Internals	11	4767	July 27, 2023

urlize filter mangling encoding in URLs

Related topics