Security Advisory

ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor

Executive Summary

Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV. The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA.

Action Taken

The primary rationale in Zend Framework for using a TEXTAREA with the Editor Dijit was to allow for graceful degradation in browser environments that do not support JavaScript. The component has been reworked such that we now decorate an HTML DIV, and provide a separate TEXTAREA within a NOSCRIPT tag for purposes of graceful degradation; content is escaped in the latter TEXTAREA.

Recommendations

If you use Zend_Dojo_View_Helper_Editor, it is strongly recommended that you upgrade to either the latest available Zend Framework release, or one of the following releases, immediately:

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

back to advisories