encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-04-16 07:02:10 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential XSS vulnerability in break_long_headers template filter

Browse Source 
The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
This commit is contained in:
ch4n3-yoon 2024-06-13 20:09:09 +09:00
parent fe92f0dd0d
commit bc1c41d374
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rest_framework/templatetags/rest_framework.py
View File

@ -322,5 +322,5 @@ def break_long_headers(header):
when possible (are comma separated)
"""
if len(header) > 160 and ',' in header:
header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
return header