[Django] #30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F

Django Sat, 15 Dec 2018 17:15:02 -0800

#30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F
-------------------------------------+-------------------------------------
               Reporter:  Brenton    |          Owner:  nobody
  Partridge                          |
                   Type:  Bug        |         Status:  new
              Component:             |        Version:  master
  contrib.admin                      |       Keywords:  admin, urlfield,
               Severity:  Normal     |  smart_urlquote, url, quote
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 Intended behavior: If a URLField is used in the Django admin, and the
 currently saved URL in the database contains the escape %2F, the href of
 the rendered link should contain that escape verbatim (e.g. %2F, not a /
 in that location).

Current behavior (master branch, Python 3.7.0): The href of the rendered
link contains a / in that location, creating an extra portion of the path
and, when clicked, sending the admin user to a completely different and
unintended URL.

Root cause:

https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/contrib/admin/widgets.py#L340
uses `smart_urlquote` to set the href (subsequently read by

https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/widgets/url.html
).

smart_urlquote (as implemented here:

https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/utils/html.py#L203
) has caused problems before e.g.
https://code.djangoproject.com/ticket/28123 . That issue, though, refers
to a backport, whereas this behavior is broken on the master branch in
Python 3.

One fix would be to not use smart_urlquote, and just ensure that the href
is set to the exact same value as initially shown in the input field and
rendered as the text of the <a> tag. Is there a reason why smart_urlquote
was used in the first place, though?

I'm happy to submit a patch and test case if this is a desired fix.

--
Ticket URL: <https://code.djangoproject.com/ticket/30043>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.1aa1977895d68a91d998854a16a8a770%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F

Reply via email to