#30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F
-------------------------------------+-------------------------------------
Reporter: Brenton | Owner: nobody
Partridge |
Type: Bug | Status: new
Component: | Version: master
contrib.admin | Keywords: admin, urlfield,
Severity: Normal | smart_urlquote, url, quote
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Intended behavior: If a URLField is used in the Django admin, and the
currently saved URL in the database contains the escape %2F, the href of
the rendered link should contain that escape verbatim (e.g. %2F, not a /
in that location).
Current behavior (master branch, Python 3.7.0): The href of the rendered
link contains a / in that location, creating an extra portion of the path
and, when clicked, sending the admin user to a completely different and
unintended URL.
Root cause:
https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/contrib/admin/widgets.py#L340
uses `smart_urlquote` to set the href (subsequently read by
https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/widgets/url.html
).
smart_urlquote (as implemented here:
https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/utils/html.py#L203
) has caused problems before e.g.
https://code.djangoproject.com/ticket/28123 . That issue, though, refers
to a backport, whereas this behavior is broken on the master branch in
Python 3.
One fix would be to not use smart_urlquote, and just ensure that the href
is set to the exact same value as initially shown in the input field and
rendered as the text of the <a> tag. Is there a reason why smart_urlquote
was used in the first place, though?
I'm happy to submit a patch and test case if this is a desired fix.
--
Ticket URL: <https://code.djangoproject.com/ticket/30043>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.1aa1977895d68a91d998854a16a8a770%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.