no xss for attribute error messages that contain {value}

8e4067ec · Carsten Brandt · 266f4f98 · 8e4067ec
Commit 8e4067ec authored Oct 14, 2013 by Carsten Brandt
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

yii.activeForm.js framework/yii/assets/yii.activeForm.js +1 -1

No files found.
--- a/framework/yii/assets/yii.activeForm.js
+++ b/framework/yii/assets/yii.activeForm.js
@@ -345,7 +345,7 @@
 			var $container = $form.find(attribute.container);
 			var $error = $container.find(attribute.error);
 			if (hasError) {
-				$error.html(messages[attribute.name][0]);
+				$error.text(messages[attribute.name][0]);
 				$container.removeClass(data.settings.validatingCssClass + ' ' + data.settings.successCssClass)
 					.addClass(data.settings.errorCssClass);
 			} else {