Escape html tags before save for XSS protection?

[左小龙]

Before save the instance in database, should DRF add a method to let user escape '<', '>', ''', '"', from codes here https://github.com/encode/django-rest-framework/blob/master/rest_framework/serializers.py#L172

self.instance = self.create(validated_data)

assert self.instance is not None, (

    '`create()` did not return an object instance.'

)

maybe we should add a method like  (from django)

def replace_html(text):

    str(text).replace('&', '&amp;').replace('<', '&lt;')

.replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;')

for XSS protection?