From: Chris Lamb <lamby@debian.org>
Date: Tue, 9 Jun 2020 15:55:54 +0100
Subject: CVE-2020-13596

---
 django/contrib/admin/widgets.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 209e028..1a96fa7 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -14,6 +14,7 @@ from django.urls.exceptions import NoReverseMatch
 from django.utils import six
 from django.utils.encoding import force_text
 from django.utils.html import smart_urlquote
+from django.utils.http import urlencode
 from django.utils.safestring import mark_safe
 from django.utils.text import Truncator
 from django.utils.translation import ugettext as _
@@ -149,7 +150,7 @@ class ForeignKeyRawIdWidget(forms.TextInput):
 
             params = self.url_parameters()
             if params:
-                related_url += '?' + '&amp;'.join('%s=%s' % (k, v) for k, v in params.items())
+                related_url += '?' + urlencode(params)
             context['related_url'] = mark_safe(related_url)
             context['link_title'] = _('Lookup')
             # The JavaScript code looks for this class.