ZF-11737: Zend_Dojo_View_Helper_Textarea does not escape value

Issue Type:
Improvement
Created:
2011-09-13T09:21:41.000+0000
Last Updated:
2011-09-14T19:53:24.000+0000
Status:
Open
Fix version(s):
    Reporter:
    Daniel Jungbluth (djungbluth)
    Assignee:
    Matthew Weier O'Phinney (matthew)
    Tags:
    • Zend_Dojo
    Related issues:
    Attachments:

    Description

    Zend_Dojo_View_Helper_Textarea does not escape its value by default as other view helpers do. This could lead to a potential security leak.

    I would expect this helper to function as:

    Index: library/Zend/Dojo/View/Helper/Textarea.php

    --- library/Zend/Dojo/View/Helper/Textarea.php (revision 28557) +++ library/Zend/Dojo/View/Helper/Textarea.php (working copy) @@ -72,7 +72,7 @@ $attribs = $this->_prepareDijit($attribs, $params, 'textarea');

         $html = '<textarea' . $this->_htmlAttribs($attribs) . '>'

    - . $value + . $this->view->escape($value) . "\n";

         return $html;

    Comments

    Posted by Matthew Weier O'Phinney (matthew) on 2011-09-13T13:34:10.000+0000

    This is actually due to how the Dojo Textarea dijit works; escaped text leads to breakage of the dijit.

    Posted by Daniel Jungbluth (djungbluth) on 2011-09-14T19:53:24.000+0000

    Okay, but I couldn't find out what actually "breaks". Can you briefly elaborate on this, please?

    That something like the following is possible, is really fatal in my opinion:

    $dojoForm->addElement('Textarea', 'name', array('value'=>''));

    One could use the SimpleTextarea view helper which does escaping by default but I like the dynamic resizing feature of the "full" Textarea. Or, one could filter the input, etc... What would be best practice?