From: Chris Lamb <lamby@debian.org>
Date: Sat, 13 Jun 2020 15:31:58 +0100
Subject: CVE-2020-13596

---
 django/contrib/admin/widgets.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 26de9c7..64f3af5 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -15,6 +15,7 @@ from django.template.loader import render_to_string
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from django.utils import six
+from django.utils.http import urlencode
 from django.utils.encoding import force_text
 from django.utils.html import format_html, format_html_join, smart_urlquote
 from django.utils.safestring import mark_safe
@@ -166,7 +167,7 @@ class ForeignKeyRawIdWidget(forms.TextInput):
 
             params = self.url_parameters()
             if params:
-                url = '?' + '&amp;'.join('%s=%s' % (k, v) for k, v in params.items())
+                url = '?' + urlencode(params)
             else:
                 url = ''
             if "class" not in attrs: