no xss for attribute error messages that contain {value}

2025-11-18 23:43:19 +08:00 · 2013-10-14 20:33:42 +02:00
parent 266f4f9843
commit 8e4067ec5e
1 changed files with 1 additions and 1 deletions
--- a/framework/yii/assets/yii.activeForm.js
+++ b/framework/yii/assets/yii.activeForm.js
@@ -345,7 +345,7 @@
 			var $container = $form.find(attribute.container);
 			var $error = $container.find(attribute.error);
 			if (hasError) {
-				$error.html(messages[attribute.name][0]);
+				$error.text(messages[attribute.name][0]);
 				$container.removeClass(data.settings.validatingCssClass + ' ' + data.settings.successCssClass)
 					.addClass(data.settings.errorCssClass);
 			} else {