ZF-6430: Twitter Service returns data with inconsistent escapes

Issue Type: Improvement Created: 2009-04-26T13:03:29.000+0000 Last Updated: 2012-11-20T21:37:50.000+0000 Status: Open Fix version(s): Reporter: Andy (lykkefeen) Assignee: None Tags: - Zend_Service_Twitter

Related issues: Attachments:


Data returned from twitter service has got the characters < and > escaped to < and > to avoid cross site scripting (at least the friendtimeline data) - but other special html characters are not escaped (e.g. & to &). This is a problem because in order to produce valid xhtml, special html characters must be escaped. Normally the Zend view helper function escape() can be used to do the escape but due to that < and > are already escaped to < and > then the & part of < and > will be escaped again to & and effectively the < and > characters will be displayed as < and &gt in the browser when outputted; instead of < and > - in the source they will be < and >

As a temporary fix I use this function to remove the escapes made by twitter before using the Zend view helper function escape(), but it would be really nice if this was already done by Zend: function unescapeTwitter($string) { return str_replace(array('<','>'), array('<','>'), $string); }

If not fixed, then please write a warning about it in the documentation. I found the affected version of Zend using "echo Zend_Version::VERSION;".


Posted by Jon Whitcraft (sidhighwind) on 2009-05-20T08:48:22.000+0000

This is how twitter returns the data. Let me talk this over with the Zenders and I'll let you know what I come up with.

Posted by Ralph Schindler (ralph) on 2009-09-14T08:02:21.000+0000

I think we can do this. The only reason the transformation of the < and > are in there are so that whatever is inside will play nice with xml. Since our API abstracts away the fact that XML is being returned, I see no issue in un-xml-escaping the values. Would there be any issues with doing this that you can see, Jon?

Posted by Jon Whitcraft (sidhighwind) on 2009-09-14T08:18:22.000+0000

Currently we only return the Zend_Rest_Client_Result so we could have to modify the way items are returned, This would break bc if we change it so I could see this has being an issue that is held off on until 2.0

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.