[Django] #36017: Urlize email address allows punctuation in domains

Django

unread,

Dec 16, 2024, 2:22:14 PM12/16/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+--------------------------------------
Reporter: Mike Edmunds | Type: Bug
Status: new | Component: Utilities
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
The urlize template filter incorrectly recognizes domains in email
addresses, linkifying punctuation that shouldn't be included in the
address:

{{{#!python
# Django 5.1.4, Python 3.12.4
from django.template.defaultfilters import urlize
urlize("email m...@example.com,then I'll respond")
'email <a href="mailto:m...@example.com,then">m...@example.com,then</a>
I'll respond'
urlize("test@example?;+!.com")
'<a href="mailto:test@example?;+!.com">test@example?;+!.com</a>'
}}}

The first example should probably stop before the comma. The second
example probably shouldn't linkify at all.

See also #36012.
--
Ticket URL: <https://code.djangoproject.com/ticket/36017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Dec 17, 2024, 4:07:16 AM12/17/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+------------------------------------

Reporter: Mike Edmunds | Owner: (none)

Type: Bug | Status: new
Component: Utilities | Version: 5.1

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------

Changes (by Sarah Boyce):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:1>

Django

unread,

Dec 18, 2024, 3:00:12 PM12/18/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+------------------------------------
Reporter: Mike Edmunds | Owner: (none)
Type: Bug | Status: new
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------

Comment (by Mike Edmunds):

Possible fix: Urlizer could check that validate_email() would allow the
email address before generating a mailto. That would result in it ignoring
both of the examples above. (#36014 would need to be fixed first to avoid
rejecting some international domains.)
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:2>

Django

unread,

Dec 19, 2024, 10:57:15 AM12/19/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains

------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned

------------------------------+-------------------------------------------
Changes (by Gregory Mariani):

* owner: (none) => Gregory Mariani
* status: new => assigned

Comment:

I have done a fix, need to run the CI to validate, first time on this repo
for me:
django.utils.html.py
{{{
...
@staticmethod
def is_email_simple(value):
"""Return True if value looks like an email address."""
# An @ must be in the middle of the value.
if "@" not in value or value.startswith("@") or
value.endswith("@"):
return False
try:
p1, p2 = value.split("@")
except ValueError:
# value contains more than one @.
return False
# Max length for domain name labels is 63 characters per RFC 1034.
# Helps to avoid ReDoS vectors in the domain part.
if len(p2) > 63:
return False
# Dot must be in p2 (e.g. example.com)
if "." not in p2 or p2.startswith("."):
return False
if not validate_email(value):
return False
return True
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:3>

Django

unread,

Dec 19, 2024, 2:18:14 PM12/19/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------
Changes (by Gregory Mariani):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:4>

Django

unread,

Dec 19, 2024, 3:14:34 PM12/19/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 1 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------

Changes (by Mike Edmunds):

* needs_tests: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:5>

Django

unread,

Dec 21, 2024, 1:28:43 PM12/21/24

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------

Changes (by Gregory Mariani):

* needs_tests: 1 => 0

Comment:

Test done and PR validated on PR #18959
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:6>

Django

unread,

Jan 17, 2025, 6:30:08 AM1/17/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains

-------------------------------------+-------------------------------------

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Gregory Mariani):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:7>

Django

unread,

Jan 17, 2025, 7:33:33 AM1/17/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains

------------------------------+-------------------------------------------

Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:

Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+-------------------------------------------
Changes (by Sarah Boyce):

* stage: Ready for checkin => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:8>

Django

unread,

Jan 17, 2025, 8:29:44 AM1/17/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------
Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:9>

Django

unread,

Jan 17, 2025, 1:59:12 PM1/17/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
------------------------------+-------------------------------------------
Reporter: Mike Edmunds | Owner: Gregory Mariani
Type: Bug | Status: assigned
Component: Utilities | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------

Changes (by Gregory Mariani):

* needs_better_patch: 1 => 0

Comment:

@Sarah Boyce who change the triage if someone has already done a review on
the PR ?
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:10>

Django

unread,

Jan 20, 2025, 2:52:11 AM1/20/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains

-------------------------------------+-------------------------------------

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:11>

Django

unread,

Jan 20, 2025, 3:50:41 AM1/20/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
-------------------------------------+-------------------------------------
Reporter: Mike Edmunds | Owner: Gregory
| Mariani

Type: Bug | Status: closed
Component: Utilities | Version: 5.1
Severity: Normal | Resolution: fixed

Changes (by Sarah Boyce <42296566+sarahboyce@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"61dae11df52fae71fc3050974ac459f362c9dfd7" 61dae11d]:
{{{#!CommitTicketReference repository=""
revision="61dae11df52fae71fc3050974ac459f362c9dfd7"
Fixed #36017 -- Used EmailValidator in urlize to detect emails.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:12>

Django

unread,

Jan 20, 2025, 8:06:08 AM1/20/25

to django-...@googlegroups.com

#36017: Urlize email address allows punctuation in domains
-------------------------------------+-------------------------------------
Reporter: Mike Edmunds | Owner: Gregory
| Mariani
Type: Bug | Status: closed
Component: Utilities | Version: 5.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Sarah Boyce <42296566+sarahboyce@…>):

In [changeset:"dab04b89af91467e9a95ffaf30c1904fce7fff47" dab04b89]:
{{{#!CommitTicketReference repository=""
revision="dab04b89af91467e9a95ffaf30c1904fce7fff47"
[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.

Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36017#comment:13>

Reply all

Reply to author

Forward