Skip to content

Commit

Permalink
Make mistune.util.escape_url less aggressive
Browse files Browse the repository at this point in the history
This adds ';', '!', and '$' to the set of characters which will be
passed unmolested by escape_url.  These are all in RFC 3986 reserved
character list — that is to say: escaping these may change the meaning
of a URL.
  • Loading branch information
dairiki committed Jan 6, 2022
1 parent 3e8d352 commit fc2cd53
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion mistune/util.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,12 @@ def escape(s, quote=True):


def escape_url(link):
safe = '/#:()*?=%@+,&'
safe = (
':/?#@' # gen-delims - '[]' (rfc3986)
'!$&()*+,;=' # sub-delims - "'" (rfc3986)
'%' # leave already-encoded octets alone
)

if html is None:
return quote(link.encode('utf-8'), safe=safe)
return html.escape(quote(html.unescape(link), safe=safe))
Expand Down

0 comments on commit fc2cd53

Please sign in to comment.