From 2a23275a4bb6acffd8f2bba4477b907ef91b7d3d Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Sat, 9 May 2015 23:41:39 -0400 Subject: [PATCH] Using `Json::htmlEncode()` for safer JSON data encoding in HTML code (samdark, Tomasz Tokarski) --- CHANGELOG.md | 1 + components/ActiveField.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2da00308..4a08a7146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Yii Framework 2 gii extension Change Log - Bug #5098: Properly detect hasOne relations (nineinchnick) - Bug #6667: Gii form generator rendering mistake view (pana1990) +- Bug (CVE-2015-3397): Using `Json::htmlEncode()` for safer JSON data encoding in HTML code (samdark, Tomasz Tokarski) - Enh #2109: Added ability to generate ActiveQuery class for model (klimov-paul) - Enh #7830: Added ability to detect relations between multiple schemas (nineinchnick) diff --git a/components/ActiveField.php b/components/ActiveField.php index a81033896..cee4178c3 100644 --- a/components/ActiveField.php +++ b/components/ActiveField.php @@ -68,7 +68,7 @@ public function autoComplete($data) foreach ($data as &$item) { $item = ['word' => $item]; } - $this->form->getView()->registerJs("yii.gii.autocomplete($counter, " . Json::encode($data) . ");"); + $this->form->getView()->registerJs("yii.gii.autocomplete($counter, " . Json::htmlEncode($data) . ");"); return $this; }