Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().

Per deprecation timeline.

django/utils/http.py

@@ -3,7 +3,6 @@ import calendar
 import datetime
 import re
 import unicodedata
-import warnings
 from binascii import Error as BinasciiError
 from email.utils import formatdate
 from urllib.parse import (
@@ -14,7 +13,6 @@ from urllib.parse import (
 
 from django.core.exceptions import TooManyFieldsSent
 from django.utils.datastructures import MultiValueDict
-from django.utils.deprecation import RemovedInDjango21Warning
 from django.utils.encoding import force_bytes
 from django.utils.functional import keep_lazy_text
 
@@ -264,7 +262,7 @@ def is_same_domain(host, pattern):
     )
 
 
-def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
+def is_safe_url(url, allowed_hosts=None, require_https=False):
     """
     Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
     a different host and uses a safe scheme).
@@ -280,14 +278,6 @@ def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
         return False
     if allowed_hosts is None:
         allowed_hosts = set()
-    if host:
-        warnings.warn(
-            "The host argument is deprecated, use allowed_hosts instead.",
-            RemovedInDjango21Warning,
-            stacklevel=2,
-        )
-        # Avoid mutating the passed in allowed_hosts.
-        allowed_hosts = allowed_hosts | {host}
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return (_is_safe_url(url, allowed_hosts, require_https=require_https) and

docs/releases/2.1.txt

@@ -239,3 +239,5 @@ how to remove usage of these features.
 
 * ``django.core.cache.backends.memcached.PyLibMCCache`` no longer supports
   passing ``pylibmc`` behavior settings as top-level attributes of ``OPTIONS``.
+
+* The ``host`` parameter of ``django.utils.http.is_safe_url()`` is removed.

tests/utils_tests/test_http.py

@@ -1,10 +1,8 @@
 import unittest
 from datetime import datetime
 
-from django.test import ignore_warnings
 from django.utils import http
 from django.utils.datastructures import MultiValueDict
-from django.utils.deprecation import RemovedInDjango21Warning
 
 
 class TestUtilsHttp(unittest.TestCase):
@@ -107,8 +105,6 @@ class TestUtilsHttp(unittest.TestCase):
             'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
         )
         for bad_url in bad_urls:
-            with ignore_warnings(category=RemovedInDjango21Warning):
-                self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
             self.assertFalse(
                 http.is_safe_url(bad_url, allowed_hosts={'testserver', 'testserver2'}),
                 "%s should be blocked" % bad_url,
@@ -127,8 +123,6 @@ class TestUtilsHttp(unittest.TestCase):
             'path/http:2222222222',
         )
         for good_url in good_urls:
-            with ignore_warnings(category=RemovedInDjango21Warning):
-                self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
             self.assertTrue(
                 http.is_safe_url(good_url, allowed_hosts={'otherserver', 'testserver'}),
                 "%s should be allowed" % good_url,