ZF-2554: Validation errors not XSS-attack save

Issue Type: Bug Created: 2008-02-03T09:20:12.000+0000 Last Updated: 2008-03-21T16:25:31.000+0000 Status: Resolved Fix version(s): - 1.5.0 (17/Mar/08)

Reporter: Bert Van Hauwaert (becoded) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Form

Related issues: Attachments: - FormErrors.patch


I'm using the form example from the manual. When submitting the following string bq.\"> I'm getting 2 errors: bq. * '\">' has not only alphabetic and digit characters bq. * '\">' is greater than 20 characters long and also 2 alert boxes. I should get: bq. * '\">' has not only alphabetic and digit characters bq. * '\">' is greater than 20 characters long without the 2 alerts


Posted by Justin Randell (justin) on 2008-02-06T15:39:16.000+0000

attached patch for Zend_View_Helper_FormErrors adds html escaping for form error messages.

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-07T15:33:47.000+0000

Fixed in r7851; error messages are now escaped.

Posted by Jan Sorgalla (jsorgalla) on 2008-02-08T02:35:19.000+0000

Sorry for opening that again. But shouldnt only $value be escaped instead of the whole error message string? In some cases someone could have HTML tags or entities in the translation messages which will be escaped with that patch.

Maybe escaping should be done on the Zend_Validate_Abstract level having setEscape()/getEscape() methods (similar to Zend_View) which allows escaping in _createMessage().

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-08T06:54:57.000+0000

Zend_Validate's messages may or may not be used in an HTML view -- a common use case for them would be logging. Adding escaping to Zend_Validate blurs the boundaries between the business logic and the view layer.

Posted by Jan Sorgalla (jsorgalla) on 2008-02-08T07:44:24.000+0000

Thats right, my solution was just a shot in the dark. I also forgot to make clear in my previous post that escaping should be disabled by default and can be enable by something like Zend_Validate_Abstract::setEscape('htmlspecialchars').

Just stumbled upon it working on a current project where the error messages contain escaped german umlauts (ΓΌ etc)...

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.