-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
Fix #1361 to MBS-10576 opens for potential XSS injection in form field error messages since the View component assumes error messages are correctly HTML-encoded by the Model-Controller components which proved to be untrue at least once.
A safer implementation would be to create expandable objects instead of HTML strings and to convey it to the renderer and let it encode every string to HTML.