ZF-11737: Zend_Dojo_View_Helper_Textarea does not escape value

Issue Type: Improvement Created: 2011-09-13T09:21:41.000+0000 Last Updated: 2011-09-14T19:53:24.000+0000 Status: Open Fix version(s): Reporter: Daniel Jungbluth (djungbluth) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Dojo

Related issues: Attachments:


Zend_Dojo_View_Helper_Textarea does not escape its value by default as other view helpers do. This could lead to a potential security leak.

I would expect this helper to function as:

Index: library/Zend/Dojo/View/Helper/Textarea.php

--- library/Zend/Dojo/View/Helper/Textarea.php (revision 28557) +++ library/Zend/Dojo/View/Helper/Textarea.php (working copy) @@ -72,7 +72,7 @@ $attribs = $this->_prepareDijit($attribs, $params, 'textarea');

     $html = '<textarea' . $this->_htmlAttribs($attribs) . '>'
  • . $value + . $this->view->escape($value) . "\n";

       return $html;


Posted by Matthew Weier O'Phinney (matthew) on 2011-09-13T13:34:10.000+0000

This is actually due to how the Dojo Textarea dijit works; escaped text leads to breakage of the dijit.

Posted by Daniel Jungbluth (djungbluth) on 2011-09-14T19:53:24.000+0000

Okay, but I couldn't find out what actually "breaks". Can you briefly elaborate on this, please?

That something like the following is possible, is really fatal in my opinion:

$dojoForm->addElement('Textarea', 'name', array('value'=>''));

One could use the SimpleTextarea view helper which does escaping by default but I like the dynamic resizing feature of the "full" Textarea. Or, one could filter the input, etc... What would be best practice?

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.