mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-11-23 18:13:57 +03:00
Fix potential XSS vulnerability in break_long_headers template filter (#9435)
The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
This commit is contained in:
parent
fe92f0dd0d
commit
3b41f01241
|
@ -322,5 +322,5 @@ def break_long_headers(header):
|
|||
when possible (are comma separated)
|
||||
"""
|
||||
if len(header) > 160 and ',' in header:
|
||||
header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
|
||||
header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
|
||||
return header
|
||||
|
|
Loading…
Reference in New Issue
Block a user