diff --git a/docs/api-guide/content-negotiation.md b/docs/api-guide/content-negotiation.md
index 94dd59cac..58b2a2ce0 100644
--- a/docs/api-guide/content-negotiation.md
+++ b/docs/api-guide/content-negotiation.md
@@ -1,5 +1,3 @@
-
-
# Content negotiation
> HTTP has provisions for several mechanisms for "content negotiation" - the process of selecting the best representation for a given response when there are multiple representations available.
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 335497eec..ea4c912c9 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,24 +40,28 @@ You can determine your currently installed version using `pip freeze`:
## 2.3.x series
-### 2.3.x
+### 2.3.14
-**Date**: April 2014
+**Date**: 12th June 2014
-* Fix nested serializers linked through a backward foreign key relation
-* Fix bad links for the `BrowsableAPIRenderer` with `YAMLRenderer`
-* Add `UnicodeYAMLRenderer` that extends `YAMLRenderer` with unicode
-* Fix `parse_header` argument convertion
-* Fix mediatype detection under Python3
-* Web browseable API now offers blank option on dropdown when the field is not required
-* `APIException` representation improved for logging purposes
-* Allow source="*" within nested serializers
-* Better support for custom oauth2 provider backends
-* Fix field validation if it's optional and has no value
-* Add `SEARCH_PARAM` and `ORDERING_PARAM`
-* Fix `APIRequestFactory` to support arguments within the url string for GET
-* Allow three transport modes for access tokens when accessing a protected resource
-* Fix `Request`'s `QueryDict` encoding
+* **Security fix**: Escape request path when it is include as part of the login and logout links in the browsable API.
+* `help_text` and `verbose_name` automatically set for related fields on `ModelSerializer`.
+* Fix nested serializers linked through a backward foreign key relation.
+* Fix bad links for the `BrowsableAPIRenderer` with `YAMLRenderer`.
+* Add `UnicodeYAMLRenderer` that extends `YAMLRenderer` with unicode.
+* Fix `parse_header` argument convertion.
+* Fix mediatype detection under Python 3.
+* Web browseable API now offers blank option on dropdown when the field is not required.
+* `APIException` representation improved for logging purposes.
+* Allow source="*" within nested serializers.
+* Better support for custom oauth2 provider backends.
+* Fix field validation if it's optional and has no value.
+* Add `SEARCH_PARAM` and `ORDERING_PARAM`.
+* Fix `APIRequestFactory` to support arguments within the url string for GET.
+* Allow three transport modes for access tokens when accessing a protected resource.
+* Fix `QueryDict` encoding on request objects.
+* Ensure throttle keys do not contain spaces, as those are invalid if using `memcached`.
+* Support `blank_display_value` on `ChoiceField`.
### 2.3.13
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index 2d76b55d5..01036cefa 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -8,7 +8,7 @@ ______ _____ _____ _____ __ _
"""
__title__ = 'Django REST framework'
-__version__ = '2.3.13'
+__version__ = '2.3.14'
__author__ = 'Tom Christie'
__license__ = 'BSD 2-Clause'
__copyright__ = 'Copyright 2011-2014 Tom Christie'
diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index dff176d62..a155d8d25 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -122,7 +122,7 @@ def optional_login(request):
except NoReverseMatch:
return ''
- snippet = "Log in" % (login_url, request.path)
+ snippet = "Log in" % (login_url, escape(request.path))
return snippet
@@ -136,7 +136,7 @@ def optional_logout(request):
except NoReverseMatch:
return ''
- snippet = "Log out" % (logout_url, request.path)
+ snippet = "Log out" % (logout_url, escape(request.path))
return snippet