ZF-8127: Security issue in Zend_Dojo_View_Helper_Editor

Issue Type: Bug Created: 2009-10-22T17:37:42.000+0000 Last Updated: 2010-04-27T08:31:48.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)

  • 1.8.5 (11/Jan/10)
  • 1.9.7 (11/Jan/10)

Reporter: Silver Zachara (snop) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Dojo

Related issues: - ZF-6753

Attachments: - 8127.patch



Zend_Dojo_Form_Elements_Editor is generated from in Zend_Dojo_View_Helper_Editor and this is security issue. This is in Dijit documentation: dijit._editor.RichText is the core of dijit.Editor, which provides basic WYSIWYG editing features. It also encapsulates the differences of different js engines for various browsers. Do not use this widget with an HTML tag, since the browser unescapes XML escape characters, like <. This can have unexpected behavior and lead to security issues such as scripting attacks.…

Zend_Dojo_Form_Elements_Editor must be generated from div!


Posted by Dave Heath (davehimself) on 2009-10-24T08:30:40.000+0000

Wrote a test to check for the presence of a textarea. Changed Editor to inherit from DijitContainer.

Posted by snop3 (snop3) on 2009-10-24T10:31:13.000+0000

Was fast ;), thank you

Posted by Paul Verhoeven (paul verhoeven) on 2009-10-31T20:14:16.000+0000

Duplicate issue:

Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T06:46:55.000+0000

Resolved in trunk and 1.9 release branch; backporting to 1.8 and 1.7 as well.

Posted by snop3 (snop3) on 2010-01-07T10:36:06.000+0000

Great, thank you

Posted by Vladimir Razuvaev (vladar) on 2010-01-20T21:23:56.000+0000

This should also fix ZF-5387

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.