From bc1c41d374599025583a473b09bccb6deed408d5 Mon Sep 17 00:00:00 2001 From: ch4n3-yoon <ch4n3.yoon@gmail.com> Date: Thu, 13 Jun 2024 20:09:09 +0900 Subject: [PATCH] Fix potential XSS vulnerability in break_long_headers template filter The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input. --- rest_framework/templatetags/rest_framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py index e01568cf2c..dba8153b13 100644 --- a/rest_framework/templatetags/rest_framework.py +++ b/rest_framework/templatetags/rest_framework.py @@ -322,5 +322,5 @@ def break_long_headers(header): when possible (are comma separated) """ if len(header) > 160 and ',' in header: - header = mark_safe('<br> ' + ', <br>'.join(header.split(','))) + header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(','))) return header