bug: `linkify` with `parse_email=True` doesn't handle "%" a "?" in `addr-specs`

[larseggert]

Describe the bug

bug: linkify with parse_email=True doesn't handle "%" and "?", which may occur in RFC822 addr-specs (see https://datatracker.ietf.org/doc/html/rfc2368#section-6)

• Python Version: 3.10.4
• Bleach Version: 5.0.0

To Reproduce

Steps to reproduce the behavior:

>>> bleach.linkify("gorby%kremvax@example.com", parse_email=True)
'<a href="mailto:gorby%kremvax@example.com">gorby%kremvax@example.com</a>'

Expected behavior

I expected RFC822 special characters to be percent-encoded according to RFC2368:

>>> bleach.linkify("gorby%kremvax@example.com", parse_email=True)
'<a href="mailto:gorby%25kremvax@example.com">gorby%kremvax@example.com</a>'

Additional context

Same issue exists with "?"; I didn't test other RFC822 special characters but suspect they are similarly left unquoted.

[willkg]

Thank you for the bug report! I'd appreciate a pull request from anyone who wants to tackle this. I don't think I'm going to get to it.

[larseggert]

I tried to wrap a urllib.parse.quote() around the the match.group(0) bit in https://github.com/mozilla/bleach/blob/481b146b074ed004eab39abf8f9b964fcd61c408/bleach/linkifier.py#L304 but that seems to have no effect.

[jozo]

I have noticed similar problem with clean() function. Maybe it has the same root cause.

Example:

In [1]: import bleach

In [2]: bleach.clean("<a href='https://example.org?a=1&b=2'>example</a>")
Out[2]: '<a href="https://example.org?a=1&amp;b=2">example</a>'

Notice that & is changed to &.

[willkg]

@jozo that's not the same thing. The & should be escaped to &.