Zend-Form vulnerable to Cross-site Scripting

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

• All Zend\Form view helpers.
• Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
• All “HTML Element” view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
• Zend\View\Helper\Gravatar