encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2024-11-24 02:24:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential XSS vulnerability in break_long_headers template filter (#9435)

Browse Source 
The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
This commit is contained in:
Seokchan Yoon 2024-06-14 18:52:02 +09:00 committed by GitHub
parent fe92f0dd0d
commit 3b41f01241
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rest_framework/templatetags/rest_framework.py
View File

@ -322,5 +322,5 @@ def break_long_headers(header):
when possible (are comma separated) when possible (are comma separated)
""" """
if len(header) > 160 and ',' in header: if len(header) > 160 and ',' in header:
header = mark_safe('<br> ' + ', <br>'.join(header.split(','))) header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
return header return header