From 9b15d4eac9a5a1595e6c2ae3d8772fcbf11dff6a Mon Sep 17 00:00:00 2001
From: Denny Lubitz <lubitz@vivomedia.de>
Date: Fri, 9 Jan 2026 15:05:51 +0100
Subject: [PATCH] BUGFIX: Prevent XSS attacks by coverting special characters
 to HTML entities

---
 Resources/Private/Fusion/Prototypes/ErrorRenderer.fusion | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Resources/Private/Fusion/Prototypes/ErrorRenderer.fusion b/Resources/Private/Fusion/Prototypes/ErrorRenderer.fusion
index b473af3..8db3452 100644
--- a/Resources/Private/Fusion/Prototypes/ErrorRenderer.fusion
+++ b/Resources/Private/Fusion/Prototypes/ErrorRenderer.fusion
@@ -11,7 +11,7 @@ prototype(Neos.Fusion.Form:ErrorRenderer)  < prototype(Neos.Fusion:Component) {
         <ul @if.hasResult={props.result} class={props.class}>
             <Neos.Fusion:Loop items={props.result.flattenedErrors} itemName="errors">
                 <Neos.Fusion:Loop items={errors} itemName="error">
-                    <li>{I18n.id(error.code).package(props.translationPackage).source(props.translationSource).value(error).arguments(error.arguments).translate()}</li>
+                    <li>{String.htmlSpecialChars(I18n.id(error.code).package(props.translationPackage).source(props.translationSource).value(error).arguments(error.arguments).translate())}</li>
                 </Neos.Fusion:Loop>
             </Neos.Fusion:Loop>
         </ul>