Fixed #36017 -- Used EmailValidator in urlize to detect emails.

Author: gmaOCR

django/utils/html.py

@@ -7,7 +7,8 @@
 from html.parser import HTMLParser
 from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
 
-from django.core.exceptions import SuspiciousOperation
+from django.core.exceptions import SuspiciousOperation, ValidationError
+from django.core.validators import EmailValidator
 from django.utils.encoding import punycode
 from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
 from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
@@ -455,20 +456,9 @@ def trim_punctuation(self, word):
     @staticmethod
     def is_email_simple(value):
         """Return True if value looks like an email address."""
-        # An @ must be in the middle of the value.
-        if "@" not in value or value.startswith("@") or value.endswith("@"):
-            return False
         try:
-            p1, p2 = value.split("@")
-        except ValueError:
-            # value contains more than one @.
-            return False
-        # Max length for domain name labels is 63 characters per RFC 1034.
-        # Helps to avoid ReDoS vectors in the domain part.
-        if len(p2) > 63:
-            return False
-        # Dot must be in p2 (e.g. example.com)
-        if "." not in p2 or p2.startswith("."):
+            EmailValidator(allowlist=[])(value)
+        except ValidationError:
             return False
         return True
 

tests/utils_tests/test_html.py

@@ -374,15 +374,9 @@ def test_urlize(self):
             (
                 # RFC 6068 requires a mailto URI to percent-encode a number of
                 # characters that can appear in <addr-spec>.
-                "yes;this=is&a%[email protected]",
-                '<a href="mailto:yes%3Bthis%3Dis%26a%25valid%[email protected]"'
-                ">yes;this=is&a%[email protected]</a>",
-            ),
-            (
-                # Urlizer shouldn't urlize the "?org" part of this. But since
-                # it does, RFC 6068 requires percent encoding the "?".
-                "[email protected]?org",
-                '<a href="mailto:[email protected]%3Forg">[email protected]?org</a>',
+                "yes+this=is&a%[email protected]",
+                '<a href="mailto:yes%2Bthis%3Dis%26a%25valid%[email protected]"'
+                ">yes+this=is&a%[email protected]</a>",
             ),
         )
         for value, output in tests:
@@ -402,6 +396,8 @@ def test_urlize_unchanged_inputs(self):
             "[email protected]",
             "foo@localhost",
             "foo@localhost.",
+            "test@example?;+!.com",
+            "email [email protected],then I'll respond",
             # trim_punctuation catastrophic tests
             "(" * 100_000 + ":" + ")" * 100_000,
             "(" * 100_000 + "&:" + ")" * 100_000,