From e61c937313454db3363ac95f1df396443ddba45f Mon Sep 17 00:00:00 2001
From: Sascha P <chickahoona@users.noreply.github.com>
Date: Thu, 15 Mar 2018 12:25:45 +0100
Subject: [PATCH 1/4] Removed input value from deault_error_message

Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone provides sends a form with a field like "<script>something evil</script>", you return the value and the frontend may not sanitize it proper, as it trusts its own backend. :)
---
 rest_framework/fields.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rest_framework/fields.py b/rest_framework/fields.py
index ad710b9678..a08dc77a8b 100644
--- a/rest_framework/fields.py
+++ b/rest_framework/fields.py
@@ -642,7 +642,7 @@ def __repr__(self):
 
 class BooleanField(Field):
     default_error_messages = {
-        'invalid': _('"{input}" is not a valid boolean.')
+        'invalid': _('Is not a valid boolean.')
     }
     default_empty_html = False
     initial = False
@@ -687,7 +687,7 @@ def to_representation(self, value):
 
 class NullBooleanField(Field):
     default_error_messages = {
-        'invalid': _('"{input}" is not a valid boolean.')
+        'invalid': _('Is not a valid boolean.')
     }
     initial = None
     TRUE_VALUES = {
@@ -841,7 +841,7 @@ class UUIDField(Field):
     valid_formats = ('hex_verbose', 'hex', 'int', 'urn')
 
     default_error_messages = {
-        'invalid': _('"{value}" is not a valid UUID.'),
+        'invalid': _('Is not a valid UUID.'),
     }
 
     def __init__(self, **kwargs):

From 263c064161ba98f67c93c019b86ba2311f49ac9b Mon Sep 17 00:00:00 2001
From: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
Date: Sat, 24 Mar 2018 06:37:34 +0100
Subject: [PATCH 2/4] Fixing unittests

Signed-off-by: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
---
 tests/test_fields.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/test_fields.py b/tests/test_fields.py
index 6a694092ac..0b61dc3cc4 100644
--- a/tests/test_fields.py
+++ b/tests/test_fields.py
@@ -573,7 +573,7 @@ class TestBooleanField(FieldValues):
         False: False,
     }
     invalid_inputs = {
-        'foo': ['"foo" is not a valid boolean.'],
+        'foo': ['Is not a valid boolean.'],
         None: ['This field may not be null.']
     }
     outputs = {
@@ -598,7 +598,7 @@ def test_disallow_unhashable_collection_types(self):
         for input_value in inputs:
             with pytest.raises(serializers.ValidationError) as exc_info:
                 field.run_validation(input_value)
-            expected = ['"{0}" is not a valid boolean.'.format(input_value)]
+            expected = ['Is not a valid boolean.'.format(input_value)]
             assert exc_info.value.detail == expected
 
 
@@ -615,7 +615,7 @@ class TestNullBooleanField(TestBooleanField):
         None: None
     }
     invalid_inputs = {
-        'foo': ['"foo" is not a valid boolean.'],
+        'foo': ['Is not a valid boolean.'],
     }
     outputs = {
         'true': True,
@@ -759,7 +759,7 @@ class TestUUIDField(FieldValues):
         284758210125106368185219588917561929842: uuid.UUID('d63a6fb6-88d5-40c7-a91c-9edf73283072')
     }
     invalid_inputs = {
-        '825d7aeb-05a9-45b5-a5b7': ['"825d7aeb-05a9-45b5-a5b7" is not a valid UUID.'],
+        '825d7aeb-05a9-45b5-a5b7': ['Is not a valid UUID.'],
         (1, 2, 3): ['"(1, 2, 3)" is not a valid UUID.']
     }
     outputs = {

From f28708d674d15f12b1eca72f7a59e6e0b13dbfa9 Mon Sep 17 00:00:00 2001
From: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
Date: Sat, 24 Mar 2018 06:44:15 +0100
Subject: [PATCH 3/4] another try :/

Signed-off-by: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
---
 tests/test_fields.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_fields.py b/tests/test_fields.py
index 0b61dc3cc4..a511a34fe1 100644
--- a/tests/test_fields.py
+++ b/tests/test_fields.py
@@ -760,7 +760,7 @@ class TestUUIDField(FieldValues):
     }
     invalid_inputs = {
         '825d7aeb-05a9-45b5-a5b7': ['Is not a valid UUID.'],
-        (1, 2, 3): ['"(1, 2, 3)" is not a valid UUID.']
+        (1, 2, 3): ['Is not a valid UUID.']
     }
     outputs = {
         uuid.UUID('825d7aeb-05a9-45b5-a5b7-05df87923cda'): '825d7aeb-05a9-45b5-a5b7-05df87923cda'

From 6cf6ff9537dd9aab5eb99755bb221f8a41a1c3eb Mon Sep 17 00:00:00 2001
From: Carlton Gibson <carlton.gibson@noumenal.es>
Date: Fri, 20 Apr 2018 15:41:31 +0200
Subject: [PATCH 4/4] =?UTF-8?q?Use=20=E2=80=9CMust=20be=E2=80=A6=E2=80=9D?=
 =?UTF-8?q?=20wording?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

as per review from @tomchristie.
---
 rest_framework/fields.py |  6 +++---
 tests/test_fields.py     | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/rest_framework/fields.py b/rest_framework/fields.py
index a08dc77a8b..28eca13e67 100644
--- a/rest_framework/fields.py
+++ b/rest_framework/fields.py
@@ -642,7 +642,7 @@ def __repr__(self):
 
 class BooleanField(Field):
     default_error_messages = {
-        'invalid': _('Is not a valid boolean.')
+        'invalid': _('Must be a valid boolean.')
     }
     default_empty_html = False
     initial = False
@@ -687,7 +687,7 @@ def to_representation(self, value):
 
 class NullBooleanField(Field):
     default_error_messages = {
-        'invalid': _('Is not a valid boolean.')
+        'invalid': _('Must be a valid boolean.')
     }
     initial = None
     TRUE_VALUES = {
@@ -841,7 +841,7 @@ class UUIDField(Field):
     valid_formats = ('hex_verbose', 'hex', 'int', 'urn')
 
     default_error_messages = {
-        'invalid': _('Is not a valid UUID.'),
+        'invalid': _('Must be a valid UUID.'),
     }
 
     def __init__(self, **kwargs):
diff --git a/tests/test_fields.py b/tests/test_fields.py
index a511a34fe1..d49dab889f 100644
--- a/tests/test_fields.py
+++ b/tests/test_fields.py
@@ -573,7 +573,7 @@ class TestBooleanField(FieldValues):
         False: False,
     }
     invalid_inputs = {
-        'foo': ['Is not a valid boolean.'],
+        'foo': ['Must be a valid boolean.'],
         None: ['This field may not be null.']
     }
     outputs = {
@@ -598,7 +598,7 @@ def test_disallow_unhashable_collection_types(self):
         for input_value in inputs:
             with pytest.raises(serializers.ValidationError) as exc_info:
                 field.run_validation(input_value)
-            expected = ['Is not a valid boolean.'.format(input_value)]
+            expected = ['Must be a valid boolean.'.format(input_value)]
             assert exc_info.value.detail == expected
 
 
@@ -615,7 +615,7 @@ class TestNullBooleanField(TestBooleanField):
         None: None
     }
     invalid_inputs = {
-        'foo': ['Is not a valid boolean.'],
+        'foo': ['Must be a valid boolean.'],
     }
     outputs = {
         'true': True,
@@ -759,8 +759,8 @@ class TestUUIDField(FieldValues):
         284758210125106368185219588917561929842: uuid.UUID('d63a6fb6-88d5-40c7-a91c-9edf73283072')
     }
     invalid_inputs = {
-        '825d7aeb-05a9-45b5-a5b7': ['Is not a valid UUID.'],
-        (1, 2, 3): ['Is not a valid UUID.']
+        '825d7aeb-05a9-45b5-a5b7': ['Must be a valid UUID.'],
+        (1, 2, 3): ['Must be a valid UUID.']
     }
     outputs = {
         uuid.UUID('825d7aeb-05a9-45b5-a5b7-05df87923cda'): '825d7aeb-05a9-45b5-a5b7-05df87923cda'

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/encode/django-rest-framework/pull/5881.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/encode/django-rest-framework/pull/5881.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/encode/django-rest-framework/pull/5881.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/encode/django-rest-framework/pull/5881.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>