Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using
Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were
performing some escaping, because they were not using context-appropriate
escaping mechanisms, they could potentially be exploited to perform Cross Site
Scripting (XSS) attacks.
Each component and/or class was evaluated to determine which context-appropriate
escaping mechanism should be used, and the appropriate method from
Zend\Escaper\Escaper was then used. In most cases, this also involved
composing the Escaper class as an injectible dependency.
In the case of
decorators were found to lack validation of user-provided HTML element and
attribute names. Logic was added to validate these and raise an exception if
This patch has been applied starting in versions 2.0.1 of Zend Framework, as well as to the 2.1 development branch.
If you are using any of the components listed, we recommend upgrading to 2.0.1 or greater.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org