Fixed #35533 -- Prevented urlize creating broken links given a markdown link input.

JaeHyuckSa · sarahboyce · commit a9fe98d5bd42 · 2025-08-28T08:54:56.000+02:00
Signed-off-by: SaJH &lt;wogur981208@gmail.com&gt;
diff --git a/django/utils/html.py b/django/utils/html.py
@@ -10,7 +10,7 @@
 
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation, ValidationError
-from django.core.validators import EmailValidator
+from django.core.validators import DomainNameValidator, EmailValidator
 from django.utils.deprecation import RemovedInDjango70Warning
 from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
 from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS, RFC3986_SUBDELIMS
@@ -296,7 +296,9 @@ class Urlizer:
 
     simple_url_re = _lazy_re_compile(r"^https?://\[?\w", re.IGNORECASE)
     simple_url_2_re = _lazy_re_compile(
-        r"^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$", re.IGNORECASE
+        rf"^www\.|^(?!http)(?:{DomainNameValidator.hostname_re})"
+        r"\.(com|edu|gov|int|mil|net|org)($|/.*)$",
+        re.IGNORECASE,
     )
     word_split_re = _lazy_re_compile(r"""([\s<>"']+)""")
 
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
@@ -359,9 +359,8 @@ def test_brackets(self):
             "www.example.com</a>]",
         )
         self.assertEqual(
-            urlize("see test[at[example.com"),
-            'see <a href="https://test[at[example.com" rel="nofollow">'
-            "test[at[example.com</a>",
+            urlize("see test[at[example.com"),  # Invalid hostname.
+            "see test[at[example.com",
         )
         self.assertEqual(
             urlize("[http://168.192.0.1](http://168.192.0.1)"),
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
@@ -489,6 +489,7 @@ def test_urlize_unchanged_inputs(self):
             "foo@localhost.",
             "test@example?;+!.com",
             "email me@example.com,then I'll respond",
+            "[a link](https://www.djangoproject.com/)",
             # trim_punctuation catastrophic tests
             "(" * 100_000 + ":" + ")" * 100_000,
             "(" * 100_000 + "&:" + ")" * 100_000,

Original file line number	Diff line number	Diff line change
`@@ -359,9 +359,8 @@ def test_brackets(self):`
`359`	`359`	`"www.example.com</a>]",`
`360`	`360`	`)`
`361`	`361`	`self.assertEqual(`
`362`		`- urlize("see test[at[example.com"),`
`363`		`- 'see <a href="https://test[at[example.com" rel="nofollow">'`
`364`		`- "test[at[example.com</a>",`
	`362`	`+ urlize("see test[at[example.com"), # Invalid hostname.`
	`363`	`+ "see test[at[example.com",`
`365`	`364`	`)`
`366`	`365`	`self.assertEqual(`
`367`	`366`	`urlize("[http://168.192.0.1](http://168.192.0.1)"),`