Many Zend Framework 2 view helpers were using the escapeHtml() view helper in
order to escape HTML attributes, instead of the more appropriate
escapeHtmlAttr(). In situations where user data and/or JavaScript is used to
seed attributes, this can lead to potential cross site scripting (XSS) attack
vectors.
Vulnerable view helpers include:
Zend\Form view helpers.Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.htmlFlash(), htmlPage(), htmlQuickTime().Zend\View\Helper\Gravatar
All view helpers affected have been updated to use the escapeHtmlAttr() view helper when escaping data for HTML attributes.
The following releases contain the fixes:
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2014-04-15
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com