A number of classes, primarily within the Zend_Form, Zend_Filter,
Zend_Form, Zend_Log and Zend_View components, contained character encoding
inconsistencies whereby calls to the htmlspecialchars() and htmlentities()
functions used undefined or hard coded charset parameters. In many of these
cases developers were unable to set a character encoding of their choice. These
inconsistencies could, in specific circumstances, allow certain multibyte
representations of special HTML characters pass through unescaped leaving
applications potentially vulnerable to cross-site scripting (XSS) exploits. Such
exploits would only be possible if a developer used a non-typical character
encoding (such as UTF-7), allowed users to define the character encoding, or
served HTML documents without a valid character set defined.
The afore-mentioned classes have been reworked to use a default character encoding of UTF-8 and now expose methods to allow developers set a custom character encoding.
In addition, a decision was made to default to UTF-8 for the internal encoding
mechanisms used by Zend_View. If you were relying on Zend_View using
ISO-8859-1 encoding previously, you may need to specify that encoding manually
now. You may do so in several ways:
If manually instantiating Zend_View:
$view = new Zend_View(array('encoding' => 'ISO-8859-1'));
// or:
$view->setEncoding('ISO-8859-1');
From your application.ini:
resources.view.encoding = "ISO-8859-1"
First, we recommend using UTF-8 or ensuring your chosen character encoding is used consistently across all components to help prevent potential multibyte based XSS attacks against your application. We also recommend that developers ensure HTML documents are served with a valid character set defined, such as via the Content-Type header or inside the document itself.
Second, if you are using any of the Zend_Form, Zend_Filter, Zend_Form,
Zend_Log or Zend_View components, we strongly recommend upgrading to Zend
Framework 1.9.7 or above; regardless, it is always best to run the most current
version of the framework.
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2010-01-11
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com