Fix potential XSS vulnerability in break_long_headers template filter (…

…#9435)

The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.

rest_framework/templatetags/rest_framework.py

@@ -322,5 +322,5 @@ def break_long_headers(header):
  when possible (are comma separated)
  """
  if len(header) > 160 and ',' in header:
- header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+ header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
  return header