Issue Type: Improvement Created: 2011-09-13T09:21:41.000+0000 Last Updated: 2011-09-14T19:53:24.000+0000 Status: Open Fix version(s): Reporter: Daniel Jungbluth (djungbluth) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Dojo
Related issues: Attachments:
Zend_Dojo_View_Helper_Textarea does not escape its value by default as other view helpers do. This could lead to a potential security leak.
I would expect this helper to function as:
--- library/Zend/Dojo/View/Helper/Textarea.php (revision 28557) +++ library/Zend/Dojo/View/Helper/Textarea.php (working copy) @@ -72,7 +72,7 @@ $attribs = $this->_prepareDijit($attribs, $params, 'textarea');
$html = '<textarea' . $this->_htmlAttribs($attribs) . '>'
. $value + . $this->view->escape($value) . "\n";
Posted by Matthew Weier O'Phinney (matthew) on 2011-09-13T13:34:10.000+0000
This is actually due to how the Dojo Textarea dijit works; escaped text leads to breakage of the dijit.
Posted by Daniel Jungbluth (djungbluth) on 2011-09-14T19:53:24.000+0000
Okay, but I couldn't find out what actually "breaks". Can you briefly elaborate on this, please?
That something like the following is possible, is really fatal in my opinion:
$dojoForm->addElement('Textarea', 'name', array('value'=>''));
One could use the SimpleTextarea view helper which does escaping by default but I like the dynamic resizing feature of the "full" Textarea. Or, one could filter the input, etc... What would be best practice?
Have you found an issue?
See the Overview section for more details.