Opened 3 days ago
Closed 31 hours ago
#36012 closed Bug (fixed)
Urlize incorrectly handles punctuation in email addresses
| Reported by: | Mike Edmunds | Owned by: | Mike Edmunds |
|---|---|---|---|
| Component: | Utilities | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Several punctuation characters (%, &, +, !, etc.) can—and sometimes do—appear in the local part of an email address (before the @). The urlize template filter doesn't correctly encode them, which can result in broken mailto links.
Example (Django 5.1.4):
from django.template.defaultfilters import urlize urlize("it%dept@example.org") # '<a href="mailto:it%dept@example.org">it%dept@example.org</a>' # Expected: # '<a href="mailto:it%25dept@example.org">it%dept@example.org</a>'
Clicking the resulting mailto link might work as expected, or do nothing, or could launch a mail composer with a missing or incorrect email address, depending on the specific address, browser and email app. Sequences that could also be percent-encoded characters (like "%de" in the example) are especially prone to unpredictable results.
The mailto URI spec RFC 6068 requires percent encoding most punctuation in this situation (section 2, item 1; also see section 5, Encoding).
Proposed fix: apply urllib.parse.quote() to local where the mailto link is constructed in django.utils.html.Urlizer. (Although not strictly necessary, it wouldn't hurt to also quote domain there.)
Change History (5)
comment:1 by , 2 days ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 2 days ago
| Needs tests: | set |
|---|
comment:3 by , 45 hours ago
| Needs tests: | unset |
|---|
comment:4 by , 31 hours ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:5 by , 31 hours ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In 322e49b: