Fix XSS in default DRF Browsable API template by re-enabling autoescape

2025-08-01 19:10:12 +03:00 · 2018-12-14 17:57:41 +01:00 · 2018-12-14 17:57:41 +01:00 · 75a489150a
commit 75a489150a
parent 343ce4a03c
1 changed files with 2 additions and 2 deletions
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@ -171,10 +171,10 @@
              </div>

              <div class="response-info" aria-label="{% trans "response info" %}">
-                <pre class="prettyprint"><span class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% autoescape off %}{% for key, val in response_headers|items %}
+                <pre class="prettyprint"><span class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% for key, val in response_headers|items %}
 <b>{{ key }}:</b> <span class="lit">{{ val|break_long_headers|urlize_quoted_links }}</span>{% endfor %}

-</span>{{ content|urlize_quoted_links }}</pre>{% endautoescape %}
+</span>{{ content|urlize_quoted_links }}</pre>
              </div>
            </div>