diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index c4b15cdd6ac..5773db6394d 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -305,9 +305,9 @@ class AdminURLFieldWidget(forms.URLInput):
html = super(AdminURLFieldWidget, self).render(name, value, attrs)
if value:
value = force_text(self._format_value(value))
- final_attrs = {'href': mark_safe(smart_urlquote(value))}
+ final_attrs = {'href': smart_urlquote(value)}
html = format_html(
- '{0} {2}
',
+ '{0} {2}
',
_('Currently:'), flatatt(final_attrs), value,
_('Change:'), html
)
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index d275c7669e9..3184c7150bf 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -321,18 +321,24 @@ class AdminURLWidgetTest(DjangoTestCase):
w = widgets.AdminURLFieldWidget()
self.assertHTMLEqual(
conditional_escape(w.render('test', 'http://example-äüö.com')),
- 'Currently:http://example-äüö.com
'
+ 'Currently: http://example-äüö.com
'
)
def test_render_quoting(self):
+ # WARNING: Don't use assertHTMLEqual in that testcase!
+ # assertHTMLEqual will get rid of some escapes which are tested here!
w = widgets.AdminURLFieldWidget()
- self.assertHTMLEqual(
- conditional_escape(w.render('test', 'http://example.com/some text ')),
- 'Currently:http://example.com/<sometag>some text</sometag>
'
+ self.assertEqual(
+ w.render('test', 'http://example.com/some text '),
+ 'Currently: http://example.com/<sometag>some text</sometag>
'
)
- self.assertHTMLEqual(
- conditional_escape(w.render('test', 'http://example-äüö.com/some text ')),
- 'Currently:http://example-äüö.com/<sometag>some text</sometag>
'
+ self.assertEqual(
+ w.render('test', 'http://example-äüö.com/some text '),
+ 'Currently: http://example-äüö.com/<sometag>some text</sometag>
'
+ )
+ self.assertEqual(
+ w.render('test', 'http://www.example.com/%C3%A4">"'),
+ 'Currently: http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"
'
)