ZF-6753: Implementation of Dojo_View_Helper_Editor is outdated and insecure
Hi, I believe that the ZF implementation of the rich text editor dijit.Editor is based on outdated Dojo docs and is apparently insecure. In use, it logs warnings to the Firebug console about not using it with HTML Textarea tags - from the Dojo comments: // Do not use this widget // with an HTML <TEXTAREA> tag, since the browser unescapes XML escape characters, // like <. This can have unexpected behavior and lead to security issues // such as scripting attacks.
The fix is to alter lines 89-92 of Zend/Dojo/View/Helper/Editor.php to:
89 $attribs = $this->_prepareDijit($attribs, $params, 'textarea'); 90 91 $html = '_htmlAttribs($hiddenAttribs) . $this->getClosingBracket() . 92 '
_htmlAttribs($attribs) . '>' . $value . '