From 96bb77dc35a75df0fd9ad2fabb0f4661b2485600 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Mon, 3 Nov 2014 11:20:18 +0000
Subject: [PATCH 1/2] Version 2.4.4

---
 docs/topics/release-notes.md | 10 ++++++++++
 rest_framework/__init__.py   |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 16589f3b9..11d12ae32 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,6 +40,16 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.4.x series
 
+### 2.4.4
+
+**Date**: [3rd November 2014](https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.4+Release%22+).
+
+* **Security fix**: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.
+* Maintain ordering of URLs in API root view for `DefaultRouter`.
+* Fix `follow=True` in `APIRequestFactory`
+* Resolve issue with invalid `read_only=True`, `required=True` fields being automatically generated by `ModelSerializer` in some cases.
+* Resolve issue with `OPTIONS` requests returning incorrect information for views using `get_serializer_class` to dynamically determine serializer based on request method. 
+
 ### 2.4.3
 
 **Date**: [19th September 2014](https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.3+Release%22+).
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index 7f724c185..15b12d9be 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -8,7 +8,7 @@ ______ _____ _____ _____    __
 """
 
 __title__ = 'Django REST framework'
-__version__ = '2.4.3'
+__version__ = '2.4.4'
 __author__ = 'Tom Christie'
 __license__ = 'BSD 2-Clause'
 __copyright__ = 'Copyright 2011-2014 Tom Christie'

From 650a91ac24cbd3e5b4ad5d7d7c6706fdf6160a78 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Mon, 3 Nov 2014 11:29:48 +0000
Subject: [PATCH 2/2] Fix URL escaping

---
 rest_framework/templatetags/rest_framework.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 7c914ed65..84ba1b0a7 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -22,7 +22,7 @@ def replace_query_param(url, key, val):
     query_dict = QueryDict(query).copy()
     query_dict[key] = val
     query = query_dict.urlencode()
-    return escape(urlparse.urlunsplit((scheme, netloc, path, query, fragment)))
+    return urlparse.urlunsplit((scheme, netloc, path, query, fragment))
 
 
 # Regex for adding classes to html snippets
@@ -75,7 +75,7 @@ def add_query_param(request, key, val):
     """
     iri = request.get_full_path()
     uri = iri_to_uri(iri)
-    return replace_query_param(uri, key, val)
+    return escape(replace_query_param(uri, key, val))
 
 
 @register.filter