Author: Tim Graham <timograham@gmail.com>
Date:   Wed Dec 3 16:14:00 2014 -0500
Subject: Fixed is_safe_url() to handle leading whitespace.
    
    This is a security fix. Disclosure following shortly.

Origin: backport, https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -132,6 +132,7 @@ def is_safe_url(url, host=None):
     """
     if not url:
         return False
+    url = url.strip()
     # Chrome treats \ completely as /
     url = url.replace('\\', '/')
     # Chrome considers any URL with more than two slashes to be absolute, but