Before save the instance in database, should DRF add a method to let user
escape '<', '>', ''', '"', from codes
here
https://github.com/encode/django-rest-framework/blob/master/rest_framework/serializers.py#L172
self.instance = self.create(validated_data)
assert self.instance is not None, (
'`create()` did not return an object instance.'
)
maybe we should add a method like (from django)
def replace_html(text):
str(text).replace('&', '&').replace('<', '<')
.replace('>', '>').replace('"', '"').replace("'", ''')
for XSS protection?
--
You received this message because you are subscribed to the Google Groups
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
