#34380: URLField assumes http
------------------------------------------------+------------------------
Reporter: Coen van der Kamp | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
In `django.forms.fields.URLField.to_python` the assumption is made that
the `http` (no S) is a good default scheme for URLs that do not specify a
scheme when submitted.
Entering `example.com` in a URLField will give `http://example.com` as
cleaned data.
Ref:
https://github.com/django/django/blame/main/django/forms/fields.py#L772-L774
I think URLField should assume the safe option `https`.
I've notified the security team, and they didn't see this as a security
issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/34380>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070186a47e3d34-fce0e3d7-275c-4221-ba50-01946579385f-000000%40eu-central-1.amazonses.com.
