From fed691a304883bab09077f7b0215ac0aa2dbd835 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Tue, 27 Oct 2015 14:17:19 +0000
Subject: [PATCH] Escape username in optional_logout

---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index 0069d9a5e..efe46292d 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -53,7 +53,7 @@ def optional_logout(request, user):
     try:
         logout_url = reverse('rest_framework:logout')
     except NoReverseMatch:
-        return '<li class="navbar-text">{user}</li>'.format(user=user)
+        return '<li class="navbar-text">{user}</li>'.format(user=escape(user))
 
     snippet = """<li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">