ZF-12054: Possible XSS in Zend_View::escape()

Issue Type: Bug Created: 2012-02-12T20:14:41.000+0000 Last Updated: 2012-05-14T16:02:06.000+0000 Status: Reopened Fix version(s): Reporter: Tomáš Fejfar ( Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View

Related issues: Attachments:


<pre class="highlight"><?php
require_once "Zend/Loader/Autoloader.php";
$view = new Zend_View();
$userInput = "' onmouseover='alert(/XSS/)";
<span title="<?php echo $view->escape($userInput); ?>">Test</span>

Expected output:

<pre class="highlight">

Actual output with ZF 1.11.8:

Which results in Javascript being executed on mouse over.


Posted by Tomáš Fejfar ( on 2012-02-12T20:15:37.000+0000


Posted by Ryan Mauger (bittarman) on 2012-02-12T20:58:01.000+0000

This is not an XSS vector which has resulted from Zend Framework code.

The escape function is intended to be used to convert html special characters into their entites, such as < into < thus preventing injection of further tags into content. If it were to also add slashes, (to ' or ", or both?) then this would affect the output of many many applications, littering them with superflous slashes which are not actually needed.

Unfortunately, you have decided to use it as a part of escaping a html attribute, not an entire block, it is therefore your responsibility to ensure that user input cannot prematurely end the quoting. (and this should be done through whitelisting your user input).

Posted by Ryan Mauger (bittarman) on 2012-02-12T21:01:37.000+0000

To make this clear, consider this example:

$comments = array("I don't like XSS, it puts a crimp in my day");

foreach ($comments as $comment) { echo $view->escape($comment), "\n"; }

You'd expect: I don't like XSS, it puts a crimp in my day

Due to your proposed fix to your problem: I don\'t like XSS, it puts a crimp in my day

This is not desireable.

Posted by Ryan Mauger (bittarman) on 2012-02-12T21:03:46.000+0000

Closing as not an issue after getting some agreement from other contributors on IRC.

Posted by Tomáš Fejfar ( on 2012-02-12T21:16:51.000+0000

I understand how it works and why it does not work in this case. The problem is that (as average developer) when I call $this->escape($var) I assume it's safe to echo the code. There should at least be a warning in the manual for escape(), that you need to call addslashes whenever using escaped content inside tag's attribute. Typical use - user's name as image alt/title - Jim O'Reily, Dwayne "The Rock" Johnson. You can't filter those. At least this problem is enough to debate whether to hide the real implementation in escape method or use the plain old htmlspecialchars without any wrapper.

Posted by Pádraic Brady (padraic) on 2012-02-12T21:23:27.000+0000

Reopened pending security review.

Posted by Pádraic Brady (padraic) on 2012-02-12T22:02:10.000+0000

Call to htmlspecialchars() or htmlentities() from Zend_View_Abstract::escape uses ENT_COMPAT in preference to ENT_QUOTES which would have replaced single quotes with semantically equivalent numeric entities. Unless double quoted attributes are enforceable by the framework, it seems reasonable to switch the flag.

Please note that all security related issues should be reported to in preference to the issue tracker. You can read our security policy at

Posted by Tomáš Fejfar ( on 2012-02-12T22:07:24.000+0000

I'm sorry. Didn't knew it. My appologies.

Posted by Pádraic Brady (padraic) on 2012-02-12T22:19:43.000+0000

No worries . I've email the zf-security address with a quick note on this, and copied you in so you can track its progress.

Posted by Martin Hujer (mhujer) on 2012-02-13T08:06:52.000+0000…

Posted by Jakub Vrána (vrana) on 2012-02-13T18:15:41.000+0000

To clarify this, the expected output is:

<pre class="highlight">
<span title="' onmouseover='alert(/XSS/)">Test</span>

Posted by Pádraic Brady (padraic) on 2012-02-13T19:12:24.000+0000

Jakub, noted ;). JIRA just decoded that into a forward slash I think for the comments above.

Posted by Adam Lundrigan (adamlundrigan) on 2012-05-14T16:02:06.000+0000

Where does this issue stand? Are there any mitigation strategies we could realistically include in 1.12?

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.