On 13/02/12 15:15, Jakub Vrana wrote:
> Hello!
>
> Please read the article
> http://php.vrana.cz/defense-against-xss-in-zend-framework.php and
> consider changing the way how Zend Framework escapes data on output
> before Zend Framework 2 is out.
>
The number example in there is kind of dumb. For that, I'd just cast to
int, as it's way faster. ;-)
As for the double escaping, that can be solved by setting double encode
to false:
$this->setEscapeCallback(function($value) use ($view) {
return htmlspecialchars($value, ENT_COMPAT,
$view->getEncoding(), false);
});
The problem that I do agree with is that the "some data will be
automatically escaped by default but some data won't", and it's not an
easy problem to solve.
Cheers,
David
