From 898682b04c326906ad5f818c013b604723e1a9fc Mon Sep 17 00:00:00 2001
From: Qiang Xue <qiang.xue@gmail.com>
Date: Sat, 9 May 2015 23:43:16 -0400
Subject: [PATCH] Using `Json::htmlEncode()` for safer JSON data encoding in
 HTML code

---
 CHANGELOG.md | 1 +
 Widget.php   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 896fe98..18cf504 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ Yii Framework 2 bootstrap extension Change Log
 - Bug #5984: `yii\bootstrap\Activefield::checkbox()` caused browser to link label to the wrong input (cebe)
 - Bug #7894: Fixed incorrect URL config processing at `yii\bootstrap\Nav::items` if route element is not a first one (nkovacs, klimov-paul)
 - Bug #8231: Configuration of Alert, ButtonDropdown, Modal widget where not preserved when used multiple times (cebe, idMolotov)
+- Bug (CVE-2015-3397): Using `Json::htmlEncode()` for safer JSON data encoding in HTML code (samdark, Tomasz Tokarski)
 - Enh #29: Added support to list-groups for Collapse class (pana1990, skullcrasher)
 - Enh #2546: Added `visible` option to `yii\bootstrap\ButtonGroup::$buttons` (samdark, lukBarros)
 - Enh #7633: Added `ActionColumn::$buttonOptions` for defining HTML options to be added to the default buttons (cebe)
diff --git a/Widget.php b/Widget.php
index 641f640..dc07f4f 100644
--- a/Widget.php
+++ b/Widget.php
@@ -66,7 +66,7 @@ class Widget extends \yii\base\Widget
         $id = $this->options['id'];
 
         if ($this->clientOptions !== false) {
-            $options = empty($this->clientOptions) ? '' : Json::encode($this->clientOptions);
+            $options = empty($this->clientOptions) ? '' : Json::htmlEncode($this->clientOptions);
             $js = "jQuery('#$id').$name($options);";
             $view->registerJs($js);
         }