Issue Type: Bug Created: 2009-10-22T17:37:42.000+0000 Last Updated: 2010-04-27T08:31:48.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)
Reporter: Silver Zachara (snop) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Dojo
Related issues: - ZF-6753
Attachments: - 8127.patch
Zend_Dojo_Form_Elements_Editor is generated from in Zend_Dojo_View_Helper_Editor and this is security issue. This is in Dijit documentation: dijit._editor.RichText is the core of dijit.Editor, which provides basic WYSIWYG editing features. It also encapsulates the differences of different js engines for various browsers. Do not use this widget with an HTML tag, since the browser unescapes XML escape characters, like <. This can have unexpected behavior and lead to security issues such as scripting attacks.
Zend_Dojo_Form_Elements_Editor must be generated from div!
Posted by Dave Heath (davehimself) on 2009-10-24T08:30:40.000+0000
Wrote a test to check for the presence of a textarea. Changed Editor to inherit from DijitContainer.
Posted by snop3 (snop3) on 2009-10-24T10:31:13.000+0000
Was fast ;), thank you
Posted by Paul Verhoeven (paul verhoeven) on 2009-10-31T20:14:16.000+0000
Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T06:46:55.000+0000
Resolved in trunk and 1.9 release branch; backporting to 1.8 and 1.7 as well.
Posted by snop3 (snop3) on 2010-01-07T10:36:06.000+0000
Great, thank you
Posted by Vladimir Razuvaev (vladar) on 2010-01-20T21:23:56.000+0000
This should also fix ZF-5387
Have you found an issue?
See the Overview section for more details.