diff --git a/composer.json b/composer.json
index a59f61f3d..438e6f48b 100644
--- a/composer.json
+++ b/composer.json
@@ -54,7 +54,11 @@
"laminas/laminas-view": "^2.14, required for using the laminas-form view helpers"
},
"config": {
- "sort-packages": true
+ "sort-packages": true,
+ "allow-plugins": {
+ "composer/package-versions-deprecated": true,
+ "dealerdirect/phpcodesniffer-composer-installer": true
+ }
},
"extra": {
"laminas": {
diff --git a/src/View/Helper/FormElementErrors.php b/src/View/Helper/FormElementErrors.php
index 6dc63bd24..add4dd9ba 100644
--- a/src/View/Helper/FormElementErrors.php
+++ b/src/View/Helper/FormElementErrors.php
@@ -9,6 +9,7 @@
use function array_merge;
use function array_walk_recursive;
+use function count;
use function implode;
use function sprintf;
@@ -77,6 +78,12 @@ public function render(ElementInterface $element, array $attributes = []): strin
$attributes = ' ' . $attributes;
}
+ $count = count($messages);
+ $escaper = $this->getEscapeHtmlHelper();
+ for ($i = 0; $i < $count; $i += 1) {
+ $messages[$i] = $escaper($messages[$i]);
+ }
+
// Generate markup
$markup = sprintf($this->getMessageOpenFormat(), $attributes);
$markup .= implode($this->getMessageSeparatorString(), $messages);
diff --git a/test/View/Helper/FormElementErrorsTest.php b/test/View/Helper/FormElementErrorsTest.php
index 8f939deee..cbed22097 100644
--- a/test/View/Helper/FormElementErrorsTest.php
+++ b/test/View/Helper/FormElementErrorsTest.php
@@ -222,4 +222,22 @@ public function testCallingTheHelperToRenderInvokeCanReturnObject(): void
$helper = $this->helper;
$this->assertEquals($helper(), $helper);
}
+
+ public function testHtmlEscapingOfMessages(): void
+ {
+ $messages = [
+ [
+ 'First validator message',
+ 'Second validator first message',
+ 'Second validator second message',
+ ],
+ ];
+ $element = new Element('foo');
+ $element->setMessages($messages);
+
+ $markup = $this->helper->render($element);
+
+ $this->assertStringNotContainsString('', $markup);
+ $this->assertStringNotContainsString('', $markup);
+ }
}