Hi Howard, The wiki page referred to wasn't all that clear that there are numerous vectors for XSS. The Zend Framework bakes in anti-XSS tactics for a subset of these vectors, but does not cover all of them. Indeed it couldn't possibly do so. When people talk about the XSS filtering in ZF, they are referring to the ability to escape HTML or XML output from Zend_View (which will be enabled by default in 2.0). The ZF also offers a reasonably robust validation and filtering system for forms. Zend_Db additionally has its own inward oriented escaping when dealing with databases.
The wiki page refers to something else - the filtering of HTML input to make it safe for output a HTML (a case where Zend_View escaping doesn't apply). For example, perhaps users can submit comments containing HTML elements (you can't escape this or the HTML is lost and displayed literally). Perhaps you are consuming RSS or Atom feeds which contain HTML content (which is pretty much inevitable). These specific cases - where you need to output HTML coming from an external source out of your direct control is not addressed by the framework. The library noted, HTMLPurifier, is an amazing solution in my opinion and one that would be extremely difficult to emulate in the Zend Framework given its complexity (Edward does an amazing job maintaining it). For this specific XSS vector HTMLPurifier has no peer within the ZF. So in short, ZF does assist with XSS prevention - but there are vectors it simply does not address. This is not a failing or weakness but perhaps it is something we should note more clearly in the documentation where it is relevant. Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com OpenID Europe Foundation Irish Representative ________________________________ From: howard chen <[email protected]> To: Zend Framework General <[email protected]> Sent: Monday, July 13, 2009 2:32:38 PM Subject: [fw-general] XSS Prevention with Zend Framework Back to the Mar 2008, some guy posted : http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP Any update on it? Is it possible to do XSS filtering with Zend Framework now? Thanks.
