From 75a489150ae24c2f3c794104a8e98fa43e2c9ce9 Mon Sep 17 00:00:00 2001
From: "Yury V. Zaytsev" <yury.zaytsev@moneymeets.com>
Date: Fri, 14 Dec 2018 17:57:41 +0100
Subject: [PATCH] Fix XSS in default DRF Browsable API template by re-enabling
 autoescape

---
 rest_framework/templates/rest_framework/base.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
index 26395e1fd..688fd2310 100644
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -171,10 +171,10 @@
               </div>
 
               <div class="response-info" aria-label="{% trans "response info" %}">
-                <pre class="prettyprint"><span class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% autoescape off %}{% for key, val in response_headers|items %}
+                <pre class="prettyprint"><span class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% for key, val in response_headers|items %}
 <b>{{ key }}:</b> <span class="lit">{{ val|break_long_headers|urlize_quoted_links }}</span>{% endfor %}
 
-</span>{{ content|urlize_quoted_links }}</pre>{% endautoescape %}
+</span>{{ content|urlize_quoted_links }}</pre>
               </div>
             </div>