#36586: Escaping (ampersand) in browsable API URLs
---------------------------------+--------------------------------------
     Reporter:  J M              |                    Owner:  (none)
         Type:  Bug              |                   Status:  closed
    Component:  Template system  |                  Version:  5.2
     Severity:  Normal           |               Resolution:  invalid
     Keywords:  urlize           |             Triage Stage:  Unreviewed
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+--------------------------------------
Comment (by Bruno Alla):

 ''To whoever finds this ticket...''

 I think the problem wasn't reported in the best way by OP. The issue was
 indeed caught in the browsable API in DRF, and we managed to isolate the
 problem with the following snippet:

 {{{
 >>> from django.utils.html import urlize
 >>> urlize('http://example.com/foos/?page=2&timestamp=1')
 '<a
 
href="http://example.com/foos/?page=2%C3%97tamp%3D1";>http://example.com/foos/?page=2&timestamp=1</a>'
 }}}

 The problem manifest by `&timestamp=1` being translated to
 `%C3%97tamp%3D1`. I did't see the string `&times;` in that, so suspected a
 bug, potentially inherited from Python. Looking more closely at the Django
 implementation, it indeed relies heavily on the Python API
 `html.unescape`, which has the same behaviour:

 {{{
 >>> import html
 >>> html.unescape('https://example.com/?page=1&timestamp=3')
 'https://example.com/?page=1×tamp=3'
 }}}

 Searching the cPython issue tracker brought up this issue
 https://github.com/python/cpython/issues/85050 which says:

 > According to
 https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
 #cite_ref-semicolon_1-64 the trailing semicolon can be omitted for the
 named entity "reg". That means "&reg" and "®" are equivalent.

 So this working as per the spec.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36586#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/010701999ca47523-a56b56a2-ce78-475b-8549-ef855157f5c7-000000%40eu-central-1.amazonses.com.

Reply via email to