From bc1c41d374599025583a473b09bccb6deed408d5 Mon Sep 17 00:00:00 2001
From: ch4n3-yoon <ch4n3.yoon@gmail.com>
Date: Thu, 13 Jun 2024 20:09:09 +0900
Subject: [PATCH] Fix potential XSS vulnerability in break_long_headers
 template filter

The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index e01568cf2c..dba8153b13 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -322,5 +322,5 @@ def break_long_headers(header):
     when possible (are comma separated)
     """
     if len(header) > 160 and ',' in header:
-        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+        header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
     return header