Escape target attribute in the urlize function in utils.py. (#507)
diff --git a/jinja2/utils.py b/jinja2/utils.py
index 612d5c3..2a64ce5 100644
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -203,7 +203,7 @@
words = _word_split_re.split(text_type(escape(text)))
nofollow_attr = nofollow and ' rel="nofollow"' or ''
if target is not None and isinstance(target, string_types):
- target_attr = ' target="%s"' % target
+ target_attr = ' target="%s"' % escape(target)
else:
target_attr = ''
for i, word in enumerate(words):
diff --git a/tests/test_utils.py b/tests/test_utils.py
index 3731036..95cf043 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -14,7 +14,7 @@
import pickle
-from jinja2.utils import LRUCache, escape, object_type_repr
+from jinja2.utils import LRUCache, escape, object_type_repr, urlize
@pytest.mark.utils
@@ -74,3 +74,14 @@
escape(u"<foo>")
counts.add(len(gc.get_objects()))
assert len(counts) == 1, 'ouch, c extension seems to leak objects'
+
+
+@pytest.mark.utils
+@pytest.mark.escapeUrlizeTarget
+class TestEscapeUrlizeTarget():
+ def test_escape_urlize_target(self):
+ url = "http://example.org"
+ target = "<script>"
+ assert urlize(url, target=target) == ('<a href="http://example.org"'
+ ' target="<script>">'
+ 'http://example.org</a>')