From 3b41f0124194430da957b119712978fa2266b642 Mon Sep 17 00:00:00 2001
From: Seokchan Yoon <ch4n3.yoon@gmail.com>
Date: Fri, 14 Jun 2024 18:52:02 +0900
Subject: [PATCH] Fix potential XSS vulnerability in break_long_headers
 template filter (#9435)

The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
---
 rest_framework/templatetags/rest_framework.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
index e01568cf2c..dba8153b13 100644
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@@ -322,5 +322,5 @@ def break_long_headers(header):
     when possible (are comma separated)
     """
     if len(header) > 160 and ',' in header:
-        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+        header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
     return header