diff --git a/django/utils/html.py b/django/utils/html.py
index 63a895b432..779155e88c 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -337,7 +337,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
if autoescape and not safe_input:
lead, trail = escape(lead), escape(trail)
trimmed = escape(trimmed)
- middle = '%s' % (url, nofollow_attr, trimmed)
+ middle = '%s' % (escape(url), nofollow_attr, trimmed)
words[i] = mark_safe('%s%s%s' % (lead, middle, trail))
else:
if safe_input:
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index ee6744e6cb..38a0a3e3ed 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -18,8 +18,8 @@ class UrlizeTests(SimpleTestCase):
)
self.assertEqual(
output,
- 'http://example.com/?x=&y= '
- 'http://example.com?x=&y=<2>'
+ 'http://example.com/?x=&y= '
+ 'http://example.com?x=&y=<2>'
)
@setup({'urlize02': '{{ a|urlize }} {{ b|urlize }}'})
@@ -30,8 +30,8 @@ class UrlizeTests(SimpleTestCase):
)
self.assertEqual(
output,
- 'http://example.com/?x=&y= '
- 'http://example.com?x=&y='
+ 'http://example.com/?x=&y= '
+ 'http://example.com?x=&y='
)
@setup({'urlize03': '{% autoescape off %}{{ a|urlize }}{% endautoescape %}'})
@@ -78,7 +78,7 @@ class UrlizeTests(SimpleTestCase):
output = self.engine.render_to_string('urlize09', {'a': "http://example.com/?x=&y=<2>"})
self.assertEqual(
output,
- 'http://example.com/?x=&y=<2>',
+ 'http://example.com/?x=&y=<2>',
)
diff --git a/tests/template_tests/filter_tests/test_urlizetrunc.py b/tests/template_tests/filter_tests/test_urlizetrunc.py
index 2b4b18e1f5..cb5c2a6daf 100644
--- a/tests/template_tests/filter_tests/test_urlizetrunc.py
+++ b/tests/template_tests/filter_tests/test_urlizetrunc.py
@@ -19,8 +19,8 @@ class UrlizetruncTests(SimpleTestCase):
)
self.assertEqual(
output,
- '"Unsafe" http:... '
- '"Safe" http:...'
+ '"Unsafe" http:... '
+ '"Safe" http:...'
)
@setup({'urlizetrunc02': '{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}'})
@@ -34,8 +34,8 @@ class UrlizetruncTests(SimpleTestCase):
)
self.assertEqual(
output,
- '"Unsafe" http:... '
- '"Safe" http:...'
+ '"Unsafe" http:... '
+ '"Safe" http:...'
)
@@ -72,7 +72,7 @@ class FunctionTests(SimpleTestCase):
def test_query_string(self):
self.assertEqual(
urlizetrunc('http://www.google.co.uk/search?hl=en&q=some+long+url&btnG=Search&meta=', 20),
- 'http://www.google...',
)