Security Advisory
ZF2012-03: Potential XSS Vectors in Multiple Zend Framework 2 Components
Zend\Debug, Zend\Feed\PubSubHubbub,
Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator,
Zend\Uri, Zend\View\Helper\HeadStyle,
Zend\View\Helper\Navigation\Sitemap,
and Zend\View\Helper\Placeholder\Container\AbstractStandalone
were not using Zend\Escaper when escaping HTML, HTML
attributes, and/or URLs. While most were performing some escaping, because
they were not using context-appropriate escaping mechanisms, they could
potentially be exploited to perform Cross Site Scripting (XSS) attacks.
Action Taken
Each component and/or class was evaluated to determine which context-appropriate
escaping mechanism should be used, and the appropriate method from
Zend\Escaper\Escaper was then used. In most cases, this also involved
composing the Escaper class as an injectible dependency.
In the case of Zend\Tag\Cloud\Decorator, the HtmlCloud
and HtmlTag decorators were found to lack validation of user-provided
HTML element and attribute names. Logic was added to validate these and raise an
exception if invalid.
This patch has been applied starting in versions 2.0.1 of Zend Framework, as well as to the 2.1 development branch.
Recommendations
If you are using any of the components listed, we recommend upgrading to 2.0.1 or greater.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Robert Basic
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)