Security Advisory

ZF2014-03: Potential XSS vector in multiple view helpers

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

Action Taken

All view helpers affected have been updated to use the escapeHtmlAttr() view helper when escaping data for HTML attributes.

The following releases contain the fixes:

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

back to advisories