ZF2014-03: Potential XSS vector in multiple view helpers
Vulnerable view helpers include:
- All Zend\Form view helpers.
- Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
- All "HTML Element" view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
All view helpers affected have been updated to use the escapeHtmlAttr() view helper when escaping data for HTML attributes.
The following releases contain the fixes:
- Zend Framework 2.2.7
- Zend Framework 2.3.1
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Evan Coury (github.com/EvanDotPro) for reporting the issue.
- Marco Pivetta (github.com/Ocramius) for providing a patch.