Added safety to URL decoding in is_safe_url() on Python 2

The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
2025-08-04 02:48:35 +00:00 · 2016-03-04 23:33:35 +01:00 · 2016-03-04 23:33:35 +01:00 · 552f03869e
commit 552f03869e
parent ada7a4aefb
4 changed files with 7 additions and 4 deletions
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase):
            )
            self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
            self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
-            self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
+            self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))

        # Valid basic auth credentials are allowed.
        self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))