From f3ab5d999b27865c045ffbece6fa3f7b5b49f91f Mon Sep 17 00:00:00 2001
From: Carsten Brandt <mail@cebe.cc>
Date: Thu, 21 Nov 2013 14:44:40 +0100
Subject: [PATCH] encode email in Formatter

avoid XSS with emails in format  "Carsten Brandt <mail@cebe.cc>"
---
 framework/yii/base/Formatter.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/yii/base/Formatter.php b/framework/yii/base/Formatter.php
index 30df3c3..33a6c16 100644
--- a/framework/yii/base/Formatter.php
+++ b/framework/yii/base/Formatter.php
@@ -190,7 +190,7 @@ class Formatter extends Component
 		if ($value === null) {
 			return $this->nullDisplay;
 		}
-		return Html::mailto($value);
+		return Html::mailto(Html::encode($value), $value);
 	}
 
 	/**