Security Advisory: ZF2010-06

ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json

Executive Summary

Zend_Json_Encoder was not taking into account the solidus character (/) during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Action Taken

Zend_Json_Encoder was patched to escape the solidus character when encoding PHP strings to JSON.


This particular vulnerability only affects those users who are either (a) using Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of ext/json (e.g., by enabling the static $useBuiltinEncoderDecoder property of Zend_Json), or (c) on systems where ext/json is unavailable (e.g. RHEL, CentOS). If you are affected, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately.

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken.

Released 2010-01-11

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.