Security Advisory

ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json

Executive Summary

Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Action Taken

Zend_Json_Encoder was patched to escape the solidus character when encoding PHP strings to JSON.


This particular vulnerability only affects those users who are either (a) using Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of ext/json (e.g., by enabling the static $useBuiltinEncoderDecoder property of Zend_Json), or (c) on systems where ext/json is unavailable (e.g. RHEL, CentOS). If you are affected, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.


Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

Released Mon, 11 Jan 2010 16:00:00 -0500.

back to advisories