From 9401eccbfab0ecd5f29414eab01e887c56e6e548 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Mon, 23 Mar 2015 11:20:09 +0000
Subject: [PATCH 1/3] Escape tab switching cookie

---
 rest_framework/static/rest_framework/js/default.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rest_framework/static/rest_framework/js/default.js b/rest_framework/static/rest_framework/js/default.js
index bcb1964db..f04e55696 100644
--- a/rest_framework/static/rest_framework/js/default.js
+++ b/rest_framework/static/rest_framework/js/default.js
@@ -43,6 +43,10 @@ $('a[data-toggle="tab"]').click(function(){
 var selectedTab = null;
 var selectedTabName = getCookie('tabstyle');
 
+if (selectedTabName) {
+    selectedTabName = selectedTabName.replace(/[^a-z-]/g, '');
+}
+
 if (selectedTabName) {
     selectedTab = $('.form-switcher a[name=' + selectedTabName + ']');
 }

From f7fc754bc916ba41288328cc3d0434225739a4f0 Mon Sep 17 00:00:00 2001
From: Andy Freeland <andy.freeland@redjack.com>
Date: Mon, 23 Mar 2015 12:01:54 -0400
Subject: [PATCH 2/3] Version bump and release notes update for 2.4.5

---
 docs/topics/release-notes.md | 6 ++++++
 rest_framework/__init__.py   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 11d12ae32..9879c4665 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,6 +40,12 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.4.x series
 
+### 2.4.5
+
+**Date**: 24 March 2015
+
+* **Security fix**: Escape tab switching cookie name in browsable API. [Backported from 3.1.1](http://www.django-rest-framework.org/topics/release-notes/#311).
+
 ### 2.4.4
 
 **Date**: [3rd November 2014](https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.4+Release%22+).
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index 15b12d9be..530190971 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -8,7 +8,7 @@ ______ _____ _____ _____    __
 """
 
 __title__ = 'Django REST framework'
-__version__ = '2.4.4'
+__version__ = '2.4.5'
 __author__ = 'Tom Christie'
 __license__ = 'BSD 2-Clause'
 __copyright__ = 'Copyright 2011-2014 Tom Christie'

From 2a6f25c5f9d45cfe04e93e0421ff8982e29986f6 Mon Sep 17 00:00:00 2001
From: Andy Freeland <andy.freeland@redjack.com>
Date: Tue, 24 Mar 2015 15:32:31 -0400
Subject: [PATCH 3/3] Pin flake8 2.4.0 and pep8 1.5.7

---
 requirements-test.txt | 3 ++-
 tox.ini               | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/requirements-test.txt b/requirements-test.txt
index 411daeba2..2880f5a98 100644
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -2,7 +2,8 @@
 pytest-django==2.6
 pytest==2.5.2
 pytest-cov==1.6
-flake8==2.2.2
+pep8==1.5.7
+flake8==2.4.0
 
 # Optional packages
 markdown>=2.1.0
diff --git a/tox.ini b/tox.ini
index b3f53cce2..0e17ca511 100644
--- a/tox.ini
+++ b/tox.ini
@@ -15,7 +15,8 @@ setenv =
 [testenv:flake8]
 basepython = python2.7
 deps = pytest==2.5.2
-       flake8==2.2.2
+       pep8==1.5.7
+       flake8==2.4.0
 commands = ./runtests.py --lintonly
 
 [testenv:py3.4-django1.7]