Zend_Dojo_View_Helper_Editor
was incorrectly decorating a TEXTAREA instead of
a DIV. The Dojo team has reported that this has security implications as the
rich text editor they use is unable to escape content for a TEXTAREA.
The primary rationale in Zend Framework for using a TEXTAREA with the Editor Dijit was to allow for graceful degradation in browser environments that do not support JavaScript. The component has been reworked such that we now decorate an HTML DIV, and provide a separate TEXTAREA within a NOSCRIPT tag for purposes of graceful degradation; content is escaped in the latter TEXTAREA.
If you use Zend_Dojo_View_Helper_Editor
, it is strongly recommended that you
upgrade to either the latest available Zend Framework release, or one of the
following releases, immediately:
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2010-01-11
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com