encode email in Formatter

avoid XSS with emails in format "Carsten Brandt <mail@cebe.cc>"
11 years ago · f3ab5d999b
1 changed files with 1 additions and 1 deletions
--- a/framework/yii/base/Formatter.php
+++ b/framework/yii/base/Formatter.php
@ -190,7 +190,7 @@ class Formatter extends Component
 		if ($value === null) {
 			return $this->nullDisplay;
 		}
-		return Html::mailto($value);
+		return Html::mailto(Html::encode($value), $value);
 	}

 	/**