diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py index b0b094bb70..1500a05ab3 100644 --- a/django/template/defaultfilters.py +++ b/django/template/defaultfilters.py @@ -291,10 +291,20 @@ def upper(value): upper.is_safe = False upper = stringfilter(upper) -def urlencode(value): - """Escapes a value for use in a URL.""" +def urlencode(value, safe=None): + """ + Escapes a value for use in a URL. + + Takes an optional ``safe`` parameter used to determine the characters which + should not be escaped by Django's ``urlquote`` method. If not provided, the + default safe characters will be used (but an empty string can be provided + when *all* characters should be escaped). + """ from django.utils.http import urlquote - return urlquote(value) + kwargs = {} + if safe is not None: + kwargs['safe'] = safe + return urlquote(value, **kwargs) urlencode.is_safe = False urlencode = stringfilter(urlencode) diff --git a/django/utils/http.py b/django/utils/http.py index f0b1af9c58..610fcbf685 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -14,7 +14,7 @@ def urlquote(url, safe='/'): can safely be used as part of an argument to a subsequent iri_to_uri() call without double-quoting occurring. """ - return force_unicode(urllib.quote(smart_str(url), safe)) + return force_unicode(urllib.quote(smart_str(url), smart_str(safe))) urlquote = allow_lazy(urlquote, unicode) @@ -25,7 +25,7 @@ def urlquote_plus(url, safe=''): returned string can safely be used as part of an argument to a subsequent iri_to_uri() call without double-quoting occurring. """ - return force_unicode(urllib.quote_plus(smart_str(url), safe)) + return force_unicode(urllib.quote_plus(smart_str(url), smart_str(safe))) urlquote_plus = allow_lazy(urlquote_plus, unicode) def urlencode(query, doseq=0): diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 4f33bd212c..85c0b6dc26 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1967,6 +1967,19 @@ For example:: If ``value`` is ``"http://www.example.org/foo?a=b&c=d"``, the output will be ``"http%3A//www.example.org/foo%3Fa%3Db%26c%3Dd"``. +.. versionadded:: 1.1 + +An optional argument containing the characters which should not be escaped can +be provided. + +If not provided, the '/' character is assumed safe. An empty string can be +provided when *all* characters should be escaped. For example:: + + {{ value|urlencode:"" }} + +If ``value`` is ``"http://www.example.org/"``, the output will be +``"http%3A%2F%2Fwww.example.org%2F"``. + .. templatefilter:: urlize urlize diff --git a/tests/regressiontests/templates/filters.py b/tests/regressiontests/templates/filters.py index af34c58a9f..9ada4fb26e 100644 --- a/tests/regressiontests/templates/filters.py +++ b/tests/regressiontests/templates/filters.py @@ -265,6 +265,10 @@ def get_filter_tests(): 'filter-iriencode03': ('{{ url|iriencode }}', {'url': mark_safe('?test=1&me=2')}, '?test=1&me=2'), 'filter-iriencode04': ('{% autoescape off %}{{ url|iriencode }}{% endautoescape %}', {'url': mark_safe('?test=1&me=2')}, '?test=1&me=2'), + # urlencode + 'filter-urlencode01': ('{{ url|urlencode }}', {'url': '/test&"/me?/'}, '/test%26%22/me%3F/'), + 'filter-urlencode02': ('/test/{{ urlbit|urlencode:"" }}/', {'urlbit': 'escape/slash'}, '/test/escape%2Fslash/'), + # Chaining a bunch of safeness-preserving filters should not alter # the safe status either way. 'chaining01': ('{{ a|capfirst|center:"7" }}.{{ b|capfirst|center:"7" }}', {"a": "a < b", "b": mark_safe("a < b")}, " A < b . A < b "),