Security Advisory: ZF2012-03

ZF2012-03: Potential XSS Vectors in Multiple Zend Framework 2 Components

Zend\Debug, Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.

Action Taken

Each component and/or class was evaluated to determine which context-appropriate escaping mechanism should be used, and the appropriate method from Zend\Escaper\Escaper was then used. In most cases, this also involved composing the Escaper class as an injectible dependency.

In the case of Zend\Tag\Cloud\Decorator, the HtmlCloud and HtmlTag decorators were found to lack validation of user-provided HTML element and attribute names. Logic was added to validate these and raise an exception if invalid.

This patch has been applied starting in versions 2.0.1 of Zend Framework, as well as to the 2.1 development branch.


If you are using any of the components listed, we recommend upgrading to 2.0.1 or greater.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

  • Robert Basic

Released 2012-09-20

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.