I have a model which uses a user input as part of it’s attribute labels.
public function attributeLabels()
{
return [
'attribute' => 'some text' . $this->anotherClass->userInput
]
}
I have been testing the site for XSS vulnerability.
When I enter a simple script like
<script>alert('hi')</script>
as the user input it does display correctly in the attribute label, and the script does not run.
However there is a curious side effect, the validation rules and error messages are all printed out at the bottom of the page, underneath the footer.
Output escaping the user input prevents this, however the user input won’t always display correctly in the label.
public function attributeLabels()
{
return [
'attribute' => 'some text' . Html::encode($this->anotherClass->userInput)
]
}
So does anyone have a better suggestion about how to solve this?