Json::encode XSS vulnerability

[nkovacs]

You should use Json::htmlEncode instead of Json::encode: http://www.yiiframework.com/news/86/yii-2-0-4-is-released/ If you use a text input, you have to use the "options" option in clientOptions to specify the items in the dropdown. This will probably contain user input (e.g. tags created previously by users), so it's vulnerable.

[tonydspaniard]

Thanks @nkovacs will upgrade. The vulnerability is for IE6/IE7, don't think is vulnerable as I am not sure if there are many people doing apps for that browser. We don't and we don't support them at all. Nevertheless, I'll update asap.