Issues

ZF-8127: Security issue in Zend_Dojo_View_Helper_Editor

Description

Hi,

Zend_Dojo_Form_Elements_Editor is generated from in Zend_Dojo_View_Helper_Editor and this is security issue. This is in Dijit documentation: dijit._editor.RichText is the core of dijit.Editor, which provides basic WYSIWYG editing features. It also encapsulates the differences of different js engines for various browsers. Do not use this widget with an HTML tag, since the browser unescapes XML escape characters, like <. This can have unexpected behavior and lead to security issues such as scripting attacks.

http://api.dojotoolkit.org/jsdoc/1.3.2/…

Zend_Dojo_Form_Elements_Editor must be generated from div!

Comments

Wrote a test to check for the presence of a textarea. Changed Editor to inherit from DijitContainer.

Was fast ;), thank you

Resolved in trunk and 1.9 release branch; backporting to 1.8 and 1.7 as well.

Great, thank you

This should also fix ZF-5387