#13260: urlresolvers.reverse() generates invalid URLs when an argument contains 
%
character
-----------------------------+-------------------------------------
     Reporter:  semenov      |                    Owner:  aaugustin
         Type:  Bug          |                   Status:  assigned
    Component:  Core (URLs)  |                  Version:  master
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  1            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+-------------------------------------
Changes (by aaugustin):

 * owner:  stumbles => aaugustin
 * stage:  Design decision needed => Accepted


Comment:

 Judging by
 
[http://hg.python.org/cpython/file/6aab72424063/Lib/wsgiref/simple_server.py#l82
 the reference implementation], WSGI urlunquotes the path before putting it
 in `environ['PATH_INFO']` where Django reads it.

 That's where things get complicated :)

 1) To round-trip properly through reverse / resolve, arguments must not be
 urlquoted by reverse — there's nothing to urlunquote them in this
 scenario.

 2) To round-trip properly through reverse / render in template / click in
 browser / resolve, arguments must be urlquoted by reverse.

 ----

 The
 
[https://docs.djangoproject.com/en/dev/ref/urlresolvers/#django.core.urlresolvers.reverse
 docs for reverse] say that "the string returned by `reverse()` is already
 urlquoted", which obviously isn't true for at least some special
 characters.

 This refers to the fact that `reverse()` calls `iri_to_uri()`, but that
 function is primarily concerned with escaping non-ASCII characters. It's
 also idempotent, which means it won't escape any character that's legal in
 an URL.

 ----

 I recommmend to change `reverse()` to urlquote its arguments, for the
 following reasons:

 - (2) above is the common case
 - The current behavior doesn't match the docs
 - The current behavior may result in invalid URLs (that still work in
 practic -- URL handling code is notoriously robust to malformed inputs!)
 - Contributors who looked at this ticket until now were mostly in favor of
 considering this a bug

 It will be worth a note in the "backwards incompatible changes" because it
 seems very likely that some developers are working around the current,
 buggy behavior by urlquoting arguments to reverse, and they would get
 double-quoting.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/13260#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to