From 8e4067ec5eb342e6d345d59eb97a5cf76aa701c6 Mon Sep 17 00:00:00 2001 From: Carsten Brandt Date: Mon, 14 Oct 2013 20:33:42 +0200 Subject: [PATCH] no xss for attribute error messages that contain {value} --- framework/yii/assets/yii.activeForm.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/yii/assets/yii.activeForm.js b/framework/yii/assets/yii.activeForm.js index 17ea8a7..2cb3b90 100644 --- a/framework/yii/assets/yii.activeForm.js +++ b/framework/yii/assets/yii.activeForm.js @@ -345,7 +345,7 @@ var $container = $form.find(attribute.container); var $error = $container.find(attribute.error); if (hasError) { - $error.html(messages[attribute.name][0]); + $error.text(messages[attribute.name][0]); $container.removeClass(data.settings.validatingCssClass + ' ' + data.settings.successCssClass) .addClass(data.settings.errorCssClass); } else {