Browse Source

no xss for attribute error messages that contain {value}

tags/2.0.0-beta
Carsten Brandt 11 years ago
parent
commit
8e4067ec5e
  1. 2
      framework/yii/assets/yii.activeForm.js

2
framework/yii/assets/yii.activeForm.js

@ -345,7 +345,7 @@
var $container = $form.find(attribute.container); var $container = $form.find(attribute.container);
var $error = $container.find(attribute.error); var $error = $container.find(attribute.error);
if (hasError) { if (hasError) {
$error.html(messages[attribute.name][0]); $error.text(messages[attribute.name][0]);
$container.removeClass(data.settings.validatingCssClass + ' ' + data.settings.successCssClass) $container.removeClass(data.settings.validatingCssClass + ' ' + data.settings.successCssClass)
.addClass(data.settings.errorCssClass); .addClass(data.settings.errorCssClass);
} else { } else {

Loading…
Cancel
Save