Fixed #35533 -- Prevented urlize creating broken links given a markdown link input.

Signed-off-by: SaJH <wogur981208@gmail.com>
2025-09-05 03:45:09 +03:00 · 2025-08-27 23:25:43 +09:00 · 2025-08-27 23:25:43 +09:00 · a9fe98d5bd
commit a9fe98d5bd
parent 05bac8c420
3 changed files with 7 additions and 5 deletions
--- a/django/utils/html.py
+++ b/django/utils/html.py
@ -10,7 +10,7 @@ from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsp

 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation, ValidationError
-from django.core.validators import EmailValidator
+from django.core.validators import DomainNameValidator, EmailValidator
 from django.utils.deprecation import RemovedInDjango70Warning
 from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
 from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS, RFC3986_SUBDELIMS
@ -296,7 +296,9 @@ class Urlizer:

    simple_url_re = _lazy_re_compile(r"^https?://\[?\w", re.IGNORECASE)
    simple_url_2_re = _lazy_re_compile(
-        r"^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$", re.IGNORECASE
+        rf"^www\.|^(?!http)(?:{DomainNameValidator.hostname_re})"
+        r"\.(com|edu|gov|int|mil|net|org)($|/.*)$",
+        re.IGNORECASE,
    )
    word_split_re = _lazy_re_compile(r"""([\s<>"']+)""")

--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@ -359,9 +359,8 @@ class FunctionTests(SimpleTestCase):
            "www.example.com</a>]",
        )
        self.assertEqual(
-            urlize("see test[at[example.com"),
-            'see <a href="https://test[at[example.com" rel="nofollow">'
-            "test[at[example.com</a>",
+            urlize("see test[at[example.com"),  # Invalid hostname.
+            "see test[at[example.com",
        )
        self.assertEqual(
            urlize("[http://168.192.0.1](http://168.192.0.1)"),
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@ -489,6 +489,7 @@ class TestUtilsHtml(SimpleTestCase):
            "foo@localhost.",
            "test@example?;+!.com",
            "email me@example.com,then I'll respond",
+            "[a link](https://www.djangoproject.com/)",
            # trim_punctuation catastrophic tests
            "(" * 100_000 + ":" + ")" * 100_000,
            "(" * 100_000 + "&:" + ")" * 100_000,