Many Zend Framework 2 view helpers were using the
escapeHtml() view helper in
order to escape HTML attributes, instead of the more appropriate
seed attributes, this can lead to potential cross site scripting (XSS) attack
Vulnerable view helpers include:
Zend\View\Helper\Navigation\*) view helpers.
All view helpers affected have been updated to use the escapeHtmlAttr() view helper when escaping data for HTML attributes.
The following releases contain the fixes:
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org