ZF-3781: URL view helper does not escape html special chars


The URL view helper currently does automatically escape html special chars, so it has to be done manually yet. Since it is only intended for the view, it actually should.


Can you provide a use case to for this? To me since it just uses the router to assemble the url you should have to escape the data before you pass it in. But if you can make a good case for this it can be considered for a change.

Yeah sure (and hi Jon, btw, hope you remember me ;)).

When creating a URL in a view, which creates an ampersand, double-quotes or other characters (which are valid for URLs), the generated source code isn't valid anymore. Since this is a view helper, it should escape it's output with the escape() view helper.

Yes i do remember you. And What view helper are you using? I'm using The Rewirte Router (urls are formated like /help/1/foo/bar) so i don't get the ? and & on my urls. I think this may be a possibility to change but it has to be specific to a router...

Can you also produce a test case for this issue?

I could even do the changes myself, I just didn't to it yet cause I was too lazy.

Zend_Controller_Router_Route: /article/:name $route->assemble(array('name' => 'foo & bar'));

Actual Output: /article/foo+&+bar

Expected Output (with default escape() settings): /article/foo+&+bar

Argh, wrongly escape...

Expected Output (with default escape() settings):


Ok now it gets stupid...

Expected output:


Doing this would break BC as most people are already using the $this->escape() and it would double escape anything that they have already escaped.

Then I mark this as fix for 2.0, as there we are able to break BC.

Moving this issue to be Unassigned as it's posponed till the 2.0 cycle as it would break BC.

I found a solution to not have it as a BC-break, but instead as additional feature (until we clearify the default behaviour for 2.0):

I'll add a static method Zend_View_Helper_Url::setEscape(boolean $enable). By default it will have the old behaviour (of not escaping ULRs), but those who want that feature can enable it (e.g. in their bootstrap). I would also suggest an additional parameter in the Zend_View_Helper_Url::url() method to set the escaping for a single call (null = default behaviour set by setEscape, false = don't escape, true = escape).

I'll let Matthew review this before working on it.

I see three solutions: * Pass variables through escape() as you pass them to the helper (current method) * Add an optional argument to the url() signature for "escape", allowing per-call escaping * Have a static flag for setting the default behavior

All of these are BC.

Should we postpone or move forward with one of Matthews proposed solutions?

I'd say postpone it for 2.0 and make escaping be the default, but have an option to disable it.

Added Next Major Release as an affected version for filtering

Should I resolve this ticket as 'Postponed' and clone it into ZF2, then?