Issues

ZF-2343: Safe HTML project

Description

HTML produced by Zend Framework components should be safe for publishing by removing all potentially harmful content, such as Javascript.

We should start by testing the current algorithm of {{Zend_Filter_StripTags}} against various attack vectors.

References:

http://ha.ckers.org/xss.html

http://htmlpurifier.org/comparison.html

http://www.owasp.org/index.php/AntiSamy

This issue may affect other components, such as Zend_View and friends.

Comments

This doesn't appear to have been fixed in 1.5.0. Please update if this is not correct.

Please evaluate and categorize/assign as necessary.

You can look also at http://php-ids.org/

Reassigning for prioritization.

This is a massive undertaking and should come in the form of a component proposal.