From 1386767013d044d337b8e08dd2f9b0197197cccf Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Thu, 12 Jun 2014 11:47:26 +0100
Subject: [PATCH] Version 2.3.14

---
 docs/api-guide/content-negotiation.md         |  2 --
 docs/topics/release-notes.md                  | 36 ++++++++++---------
 rest_framework/__init__.py                    |  2 +-
 rest_framework/templatetags/rest_framework.py |  4 +--
 4 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/docs/api-guide/content-negotiation.md b/docs/api-guide/content-negotiation.md
index 94dd59cac..58b2a2ce0 100644
--- a/docs/api-guide/content-negotiation.md
+++ b/docs/api-guide/content-negotiation.md
@@ -1,5 +1,3 @@
-<a class="github" href="negotiation.py"></a>
-
 # Content negotiation
 
 > HTTP has provisions for several mechanisms for "content negotiation" - the process of selecting the best representation for a given response when there are multiple representations available.
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 335497eec..ea4c912c9 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,24 +40,28 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.3.x series
 
-### 2.3.x
+### 2.3.14
 
-**Date**: April 2014
+**Date**: 12th June 2014
 
-* Fix nested serializers linked through a backward foreign key relation
-* Fix bad links for the `BrowsableAPIRenderer` with `YAMLRenderer`
-* Add `UnicodeYAMLRenderer` that extends `YAMLRenderer` with unicode
-* Fix `parse_header` argument convertion
-* Fix mediatype detection under Python3
-* Web browseable API now offers blank option on dropdown when the field is not required
-* `APIException` representation improved for logging purposes
-* Allow source="*" within nested serializers
-* Better support for custom oauth2 provider backends
-* Fix field validation if it's optional and has no value
-* Add `SEARCH_PARAM` and `ORDERING_PARAM`
-* Fix `APIRequestFactory` to support arguments within the url string for GET
-* Allow three transport modes for access tokens when accessing a protected resource
-* Fix `Request`'s `QueryDict` encoding
+* **Security fix**: Escape request path when it is include as part of the login and logout links in the browsable API.
+* `help_text` and `verbose_name` automatically set for related fields on `ModelSerializer`.
+* Fix nested serializers linked through a backward foreign key relation.
+* Fix bad links for the `BrowsableAPIRenderer` with `YAMLRenderer`.
+* Add `UnicodeYAMLRenderer` that extends `YAMLRenderer` with unicode.
+* Fix `parse_header` argument convertion.
+* Fix mediatype detection under Python 3.
+* Web browseable API now offers blank option on dropdown when the field is not required.
+* `APIException` representation improved for logging purposes.
+* Allow source="*" within nested serializers.
+* Better support for custom oauth2 provider backends.
+* Fix field validation if it's optional and has no value.
+* Add `SEARCH_PARAM` and `ORDERING_PARAM`.
+* Fix `APIRequestFactory` to support arguments within the url string for GET.
+* Allow three transport modes for access tokens when accessing a protected resource.
+* Fix `QueryDict` encoding on request objects.
+* Ensure throttle keys do not contain spaces, as those are invalid if using `memcached`.
+* Support `blank_display_value` on `ChoiceField`.
 
 ### 2.3.13
 
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index 2d76b55d5..01036cefa 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -8,7 +8,7 @@ ______ _____ _____ _____    __                                             _
 """
 
 __title__ = 'Django REST framework'
-__version__ = '2.3.13'
+__version__ = '2.3.14'
 __author__ = 'Tom Christie'
 __license__ = 'BSD 2-Clause'
 __copyright__ = 'Copyright 2011-2014 Tom Christie'
diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index dff176d62..a155d8d25 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -122,7 +122,7 @@ def optional_login(request):
     except NoReverseMatch:
         return ''
 
-    snippet = "<a href='%s?next=%s'>Log in</a>" % (login_url, request.path)
+    snippet = "<a href='%s?next=%s'>Log in</a>" % (login_url, escape(request.path))
     return snippet
 
 
@@ -136,7 +136,7 @@ def optional_logout(request):
     except NoReverseMatch:
         return ''
 
-    snippet = "<a href='%s?next=%s'>Log out</a>" % (logout_url, request.path)
+    snippet = "<a href='%s?next=%s'>Log out</a>" % (logout_url, escape(request.path))
     return snippet