diff --git a/django/utils/html.py b/django/utils/html.py
index 63a895b432..779155e88c 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -337,7 +337,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
if autoescape and not safe_input:
lead, trail = escape(lead), escape(trail)
trimmed = escape(trimmed)
- middle = '<a href="%s"%s>%s</a>' % (url, nofollow_attr, trimmed)
+ middle = '<a href="%s"%s>%s</a>' % (escape(url), nofollow_attr, trimmed)
words[i] = mark_safe('%s%s%s' % (lead, middle, trail))
else:
if safe_input:
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index ee6744e6cb..38a0a3e3ed 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -18,8 +18,8 @@ class UrlizeTests(SimpleTestCase):
)
self.assertEqual(
output,
- '<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> '
- '<a href="http://example.com?x=&y=%3C2%3E" rel="nofollow">http://example.com?x=&y=<2></a>'
+ '<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> '
+ '<a href="http://example.com?x=&y=%3C2%3E" rel="nofollow">http://example.com?x=&y=<2></a>'
)
@setup({'urlize02': '{{ a|urlize }} {{ b|urlize }}'})
@@ -30,8 +30,8 @@ class UrlizeTests(SimpleTestCase):
)
self.assertEqual(
output,
- '<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> '
- '<a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'
+ '<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> '
+ '<a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'
)
@setup({'urlize03': '{% autoescape off %}{{ a|urlize }}{% endautoescape %}'})
@@ -78,7 +78,7 @@ class UrlizeTests(SimpleTestCase):
output = self.engine.render_to_string('urlize09', {'a': "http://example.com/?x=&y=<2>"})
self.assertEqual(
output,
- '<a href="http://example.com/?x=&y=%3C2%3E" rel="nofollow">http://example.com/?x=&y=<2></a>',
+ '<a href="http://example.com/?x=&y=%3C2%3E" rel="nofollow">http://example.com/?x=&y=<2></a>',
)
diff --git a/tests/template_tests/filter_tests/test_urlizetrunc.py b/tests/template_tests/filter_tests/test_urlizetrunc.py
index 2b4b18e1f5..cb5c2a6daf 100644
--- a/tests/template_tests/filter_tests/test_urlizetrunc.py
+++ b/tests/template_tests/filter_tests/test_urlizetrunc.py
@@ -19,8 +19,8 @@ class UrlizetruncTests(SimpleTestCase):
)
self.assertEqual(
output,
- '"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> '
- '"Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'
+ '"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> '
+ '"Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'
)
@setup({'urlizetrunc02': '{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}'})
@@ -34,8 +34,8 @@ class UrlizetruncTests(SimpleTestCase):
)
self.assertEqual(
output,
- '"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> '
- '"Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'
+ '"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> '
+ '"Safe" <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'
)
@@ -72,7 +72,7 @@ class FunctionTests(SimpleTestCase):
def test_query_string(self):
self.assertEqual(
urlizetrunc('http://www.google.co.uk/search?hl=en&q=some+long+url&btnG=Search&meta=', 20),
- '<a href="http://www.google.co.uk/search?hl=en&q=some+long+url&btnG=Search&'
+ '<a href="http://www.google.co.uk/search?hl=en&q=some+long+url&btnG=Search&'
'meta=" rel="nofollow">http://www.google...</a>',
)