ZF-2283: View Helper htmlList() needs to escape output (but currently doesn't).


-- Carlton Gibson wrote (on Friday, 07 December 2007, 12:18 PM +0000): I've been using the Zend_View_Helper htmlList, but from the code it looks like it fails to escape values properly.

The guidelines for writing view helpers state:

In general, the class should not echo or print or otherwise generate output. Instead, it should return values to be printed or echoed. The returned values should be escaped appropriately.

I've been using the following construct in my view scripts to get round this:

<?php for ($i=0;$ilistArray);++$i) { $this->listArray[$i] = $this->escape($this->listArray[$i]); } echo $this->htmlList($this->listArray); ?>

Obviously this would be better off in a function to start with but I'm thinking of writing it into a custom helper.

My thought though is that this should perhaps go in the standard ZF version. Does anyone know why htmlList() doesn't do the escaping? Do people think this is worth doing?

Absolutely htmlList() should escape values. Could you add an issue to the tracker for this, so we don't forget about it?


-- Matthew Weier O'Phinney PHP Developer | Zend - The PHP Company |


I think two relevant cases here:

1) You pass htmlList() an array of values which you want escaping. This could be the default. 2) You pass htmlList() something like an array of links, which you don't want escaping.

In the second case you should be able to pass htmlList() FALSE as a second parameter whereby you explicitly take the responsibility of escaping the output elsewhere upon yourself.

As long as the setView() method was present in the HtmlList class definition, something like the above quick fix could be conditionally placed at the beginning of the existing htmlList() method and the helper should work as desired...


public function htmlList($inputArray, $escape=TRUE) { {quote} if ($escape=TRUE) { for ($i=0;$i<count($inputArray);++$i) { //Calling Parent View's escape() method, via reference from $this->setVeiw() $inputArray[$i] = $this->escape($inputArray[$i]); } } {quote}

//Existing htmlList Code Here...


Proposed patch that doesn't break BC:

--- /library/Zend/View/Helper/HtmlList.php  (revision 7096)
+++ /library/Zend/View/Helper/HtmlList.php  (working copy)
@@ -44,9 +44,10 @@
      * @param array   $items   Array with the elements of the list
      * @param boolean $ordered Specifies ordered/unordered list; default unordered
      * @param array   $attribs Attributes for the ol/ul tag.
+     * @param boolean $escape  Escape list item contents
      * @return string The list XHTML.
-    public function htmlList(array $items, $ordered = false, $attribs = false)
+    public function htmlList(array $items, $ordered = false, $attribs = false, $escape = false)
         if (!is_array($items)) {
             require_once 'Zend/View/Exception.php';
@@ -57,6 +58,9 @@
         foreach ($items as $item) {
             if (!is_array($item)) {
+                if ($escape && $this->view instanceof Zend_View_Abstract) {
+                    $item = $this->view->escape($item);
+                }
                 $list .= '' . $item . '';
             } else {
                 if (5 < strlen($list)) {

Fixed in revision 7442. Thanks, Carlton.

Revision 7743 allows for switching escaping off.

Minor BC break: All Zend Framework view helpers escape output by default so escaping must be switched off if one wants to pass an unmodified value.