Before save the instance in database, should DRF add a method to let user escape '<', '>', ''', '"', from codes here
https://github.com/encode/django-rest-framework/blob/master/rest_framework/serializers.py#L172
self.instance = self.create(validated_data)
assert self.instance is not None, (
'`create()` did not return an object instance.'
)
maybe we should add a method like (from django)
def replace_html(text):
str(text).replace('&', '&').replace('<', '<')
.replace('>', '>').replace('"', '"').replace("'", ''')
for XSS protection?