Many Zend Framework 2 view helpers were using the escapeHtml()
view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr()
. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
Zend\Form
view helpers.Zend\Navigation
(aka Zend\View\Helper\Navigation\*
) view helpers.htmlFlash()
, htmlPage()
, htmlQuickTime()
.Zend\View\Helper\Gravatar
Vendor | Product | Version | CPE |
---|---|---|---|
zendframework | zend-view | * | cpe:2.3:a:zendframework:zend-view:*:*:*:*:*:*:*:* |
framework.zend.com/security/advisory/ZF2014-03
github.com/advisories/GHSA-m7hr-j867-3f34
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-view/ZF2014-03.yaml
github.com/zendframework/zendframework/commit/12f89b587cd23dd781cde25c9dd2da75d8f829d7
github.com/zendframework/zendframework/commit/1dd4f8cede07469390eef1e629f808349fa1b5ea
github.com/zendframework/zendframework/commit/6742ddad7a7923163cea6dd58d27d0e946a402d1
github.com/zendframework/zendframework/commit/ec6c0468514c111a244552cfb7cf575a726e017e