Fix potential XSS vulnerability in break_long_headers template filter (…

…#9435)

The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.

rest_framework/templatetags/rest_framework.py

@@ -322,5 +322,5 @@ def break_long_headers(header):
     when possible (are comma separated)
     """
     if len(header) > 160 and ',' in header:
-        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
+        header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
     return header