Security Advisory: ZF2014-03

ZF2014-03: Potential XSS vector in multiple view helpers

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

  • All Zend\Form view helpers.
  • Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
  • All "HTML Element" view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
  • Zend\View\Helper\Gravatar

Action Taken

All view helpers affected have been updated to use the escapeHtmlAttr() view helper when escaping data for HTML attributes.

The following releases contain the fixes:

  • Zend Framework 2.2.7
  • Zend Framework 2.3.1

Other Information


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2014-04-15

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2020 by Zend by Perforce. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.