ZF-6753: Implementation of Dojo_View_Helper_Editor is outdated and insecure

Description

Hi, I believe that the ZF implementation of the rich text editor dijit.Editor is based on outdated Dojo docs and is apparently insecure. In use, it logs warnings to the Firebug console about not using it with HTML Textarea tags - from the Dojo comments: // Do not use this widget // with an HTML <TEXTAREA> tag, since the browser unescapes XML escape characters, // like <. This can have unexpected behavior and lead to security issues // such as scripting attacks.

The approved method appears to be to use a div instead; however, I suspect this has the downside of not degrading gracefully in the absence of Javascript. I don't know whether the claimed security flaw is important enough to sacrifice this principle for.

The fix is to alter lines 89-92 of Zend/Dojo/View/Helper/Editor.php to:


89        $attribs = $this->_prepareDijit($attribs, $params, 'textarea');
90
91        $html = '_htmlAttribs($hiddenAttribs) . $this->getClosingBracket() .
92                '
_htmlAttribs($attribs) . '>' . $value . '
';

Comments

I fix this is issue in my view helper with follow code:



/**
 * dijit.Editor
 * 
 * @param  string $id 
 * @param  string $value 
 * @param  array $params 
 * @param  array $attribs 
 * @return string
 */
public function editor($id, $value = null, $params = array(), $attribs = array())
{
    $hiddenName = $id;
    if (array_key_exists('id', $attribs)) {
        $hiddenId = $attribs['id'];
    } else {
        $hiddenId = $hiddenName;
    }
    $hiddenId = $this->_normalizeId($hiddenId);

    $hiddenAttribs = array(
        'id'    => $hiddenId,
        'name'  => $hiddenName,
        'value' => $value,
        'type'  => 'hidden',
    );
    
    $editorAttribs = array(
        'id'    => $hiddenId . '-Editor',
        'name'  => $this->_normalizeEditorName($hiddenName)
    );

    $editorAttribs = $this->_prepareDijit($editorAttribs, $params, 'textarea');
    
    $this->_createGetParentFormFunction();
    $this->_createEditorOnSubmit($hiddenId, $textareaId);

    $html = '_htmlAttribs($hiddenAttribs) . $this->getClosingBracket()
          . '
_htmlAttribs($editorAttribs) .'>'.$value.'
'; return $html; }

One mistake


// change line
$this->_createEditorOnSubmit($hiddenId, $textareaId);
// to 
$this->_createEditorOnSubmit($hiddenId, $hiddenId . '-Editor');

This issue causes a previously closed bug report at: http://framework.zend.com/issues/browse/…

As mentioned in ZF-4462, it only happens in IE.

Happened to me in IE7 - my client was complaining that when they tried change the data in the Editor field, they get the text "Array" is saved in place of the content. Dumping the request data reveals that the data submitted is submitted as an array. Similar to what is displayed below:

Array ( [title] => bug test 2 [content] => Array ( [Editor] => bug test 2 ) [sendlive] => 0 [id] => [save] => save )

Fixed in trunk, and will release with 1.10. The change is a slight BC break, but justifiable due to the security implications; however, these changes are best to introduce during a minor release when we can message how to upgrade more granularly.