Issues

ZF-2554: Validation errors not XSS-attack save

Description

I'm using the form example from the manual. When submitting the following string bq.\"> I'm getting 2 errors: bq. * '\">' has not only alphabetic and digit characters bq. * '\">' is greater than 20 characters long and also 2 alert boxes. I should get: bq. * '\">' has not only alphabetic and digit characters bq. * '\">' is greater than 20 characters long without the 2 alerts

Comments

attached patch for Zend_View_Helper_FormErrors adds html escaping for form error messages.

Fixed in r7851; error messages are now escaped.

Sorry for opening that again. But shouldnt only $value be escaped instead of the whole error message string? In some cases someone could have HTML tags or entities in the translation messages which will be escaped with that patch.

Maybe escaping should be done on the Zend_Validate_Abstract level having setEscape()/getEscape() methods (similar to Zend_View) which allows escaping in _createMessage().

Zend_Validate's messages may or may not be used in an HTML view -- a common use case for them would be logging. Adding escaping to Zend_Validate blurs the boundaries between the business logic and the view layer.

Thats right, my solution was just a shot in the dark. I also forgot to make clear in my previous post that escaping should be disabled by default and can be enable by something like Zend_Validate_Abstract::setEscape('htmlspecialchars').

Just stumbled upon it working on a current project where the error messages contain escaped german umlauts (ΓΌ etc)...