ZF-6430: Twitter Service returns data with inconsistent escapes


Data returned from twitter service has got the characters < and > escaped to < and > to avoid cross site scripting (at least the friendtimeline data) - but other special html characters are not escaped (e.g. & to &). This is a problem because in order to produce valid xhtml, special html characters must be escaped. Normally the Zend view helper function escape() can be used to do the escape but due to that < and > are already escaped to < and > then the & part of < and > will be escaped again to & and effectively the < and > characters will be displayed as < and &gt in the browser when outputted; instead of < and > - in the source they will be &lt; and &gt;

As a temporary fix I use this function to remove the escapes made by twitter before using the Zend view helper function escape(), but it would be really nice if this was already done by Zend: function unescapeTwitter($string) { return str_replace(array('<','>'), array('<','>'), $string); }

If not fixed, then please write a warning about it in the documentation. I found the affected version of Zend using "echo Zend_Version::VERSION;".


This is how twitter returns the data. Let me talk this over with the Zenders and I'll let you know what I come up with.

I think we can do this. The only reason the transformation of the < and > are in there are so that whatever is inside will play nice with xml. Since our API abstracts away the fact that XML is being returned, I see no issue in un-xml-escaping the values. Would there be any issues with doing this that you can see, Jon?

Currently we only return the Zend_Rest_Client_Result so we could have to modify the way items are returned, This would break bc if we change it so I could see this has being an issue that is held off on until 2.0