ZF-8127: Security issue in Zend_Dojo_View_Helper_Editor

Issue Type:
Bug
Created:
2009-10-22T17:37:42.000+0000
Last Updated:
2010-04-27T08:31:48.000+0000
Status:
Resolved
Fix version(s):
  • 1.7.9 (11/Jan/10)
  • 1.8.5 (11/Jan/10)
  • 1.9.7 (11/Jan/10)
Reporter:
Silver Zachara (snop)
Assignee:
Matthew Weier O'Phinney (matthew)
Tags:
  • Zend_Dojo
Related issues:
Attachments:

Description

Hi,

Zend_Dojo_Form_Elements_Editor is generated from in Zend_Dojo_View_Helper_Editor and this is security issue. This is in Dijit documentation: dijit._editor.RichText is the core of dijit.Editor, which provides basic WYSIWYG editing features. It also encapsulates the differences of different js engines for various browsers. Do not use this widget with an HTML tag, since the browser unescapes XML escape characters, like <. This can have unexpected behavior and lead to security issues such as scripting attacks.

http://api.dojotoolkit.org/jsdoc/1.3.2/…

Zend_Dojo_Form_Elements_Editor must be generated from div!

Comments

Posted by Dave Heath (davehimself) on 2009-10-24T08:30:40.000+0000

Wrote a test to check for the presence of a textarea. Changed Editor to inherit from DijitContainer.

Posted by snop3 (snop3) on 2009-10-24T10:31:13.000+0000

Was fast ;), thank you

Posted by Paul Verhoeven (paul verhoeven) on 2009-10-31T20:14:16.000+0000

Duplicate issue:

http://framework.zend.com/issues/browse/ZF-6753

Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T06:46:55.000+0000

Resolved in trunk and 1.9 release branch; backporting to 1.8 and 1.7 as well.

Posted by snop3 (snop3) on 2010-01-07T10:36:06.000+0000

Great, thank you

Posted by Vladimir Razuvaev (vladar) on 2010-01-20T21:23:56.000+0000

This should also fix ZF-5387