Security

Security Advisory: ZF2010-02

ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor

Executive Summary

Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV. The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA.

Action Taken

The primary rationale in Zend Framework for using a TEXTAREA with the Editor Dijit was to allow for graceful degradation in browser environments that do not support JavaScript. The component has been reworked such that we now decorate an HTML DIV, and provide a separate TEXTAREA within a NOSCRIPT tag for purposes of graceful degradation; content is escaped in the latter TEXTAREA.

Recommendations

If you use Zend_Dojo_View_Helper_Editor, it is strongly recommended that you upgrade to either the latest available Zend Framework release, or one of the following releases, immediately:

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
  • Peter Petrison and Mark Corti, for raising related issues in the ZF issue tracker

Released 2010-01-11

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

About
Overview
FAQ
License
Long Term Support
Changelog
Security
Issues

Install
Get started
MVC skeleton app
Expressive skeleton app
Archives
Statistics

Documentation
Overview
Training and Certification
Support and Consulting
Webinars
Blog
Zend Framework 2 - API
Zend Framework 1 - API

Participate
Overview
Slack
Forums
Newsletter
Contributor guide
Code Manifesto
Contributors
Logos
Status
Get certified

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts