Yii 登录模块 XSS 攻击 [ 2.0 版本 ]

用的是YII2自身生成的标准的登录模块。问题在哪儿
监测工具监测结果如下

Attack details
URL encoded POST input LoginForm%5bpassword%5d was set to login-button='"()&%<acx><ScRiPt >prompt(964753)</ScRiPt>

 View HTTP headers 
Request
POST /hengtai/backend/web/site/login HTTP/1.1
Content-Length: 236
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:80/hengtai/backend/web/site/login
Cookie: ht=97j58lmjliajndpuhtn4mc9s95
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

login-button=&LoginForm%5bpassword%5d=login-button%3d'%22()%26%25<acx><ScRiPt%20>prompt(964753)</ScRiPt>&LoginForm%5brememberMe%5d=0&LoginForm%5brememberMe%5d=1&LoginForm%5busername%5d=hdchpnvr&LoginForm%5bverifyCode%5d=g00dPa%24%24w0rDResponse
HTTP/1.1 500 Internal Server Error
Date: Tue, 08 May 2018 07:45:38 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
X-Powered-By: PHP/7.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93299