ZF-11737: Zend_Dojo_View_Helper_Textarea does not escape value

Description

Zend_Dojo_View_Helper_Textarea does not escape its value by default as other view helpers do. This could lead to a potential security leak.

I would expect this helper to function as:

Index: library/Zend/Dojo/View/Helper/Textarea.php

--- library/Zend/Dojo/View/Helper/Textarea.php (revision 28557) +++ library/Zend/Dojo/View/Helper/Textarea.php (working copy) @@ -72,7 +72,7 @@ $attribs = $this->_prepareDijit($attribs, $params, 'textarea');

     $html = '<textarea' . $this->_htmlAttribs($attribs) . '>'

- . $value + . $this->view->escape($value) . "\n";

     return $html;

Comments

This is actually due to how the Dojo Textarea dijit works; escaped text leads to breakage of the dijit.

Okay, but I couldn't find out what actually "breaks". Can you briefly elaborate on this, please?

That something like the following is possible, is really fatal in my opinion:

$dojoForm->addElement('Textarea', 'name', array('value'=>''));

One could use the SimpleTextarea view helper which does escaping by default but I like the dynamic resizing feature of the "full" Textarea. Or, one could filter the input, etc... What would be best practice?