I am using the Alert widget found the in the advanced template.
I’m adding informational alerts throughout my code like this:
Yii::$app->session->setFlash( 'success', 'Record "' . $model->name . '" saved.' );
It occurred to me that I probably should Html::encode the $model->name, since that is entered by the user.
From a application architecture point of view, should I modify the Alert widget to Html::encode the $message there, or Html::encode each message when I invoke setFlash?
Obviously it can be done either way, but one way is probably better.