A number of classes, primarily within the Zend_Form
, Zend_Filter
, Zend_Form
, Zend_Log
and Zend_View components
, contained character encoding inconsistencies whereby calls to the htmlspecialchars()
and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.