The number example in there is kind of dumb. For that, I'd just cast to
int, as it's way faster. ;-)
My point is that you have to do something manually which is easy to
forget. It doesn't matter if it is escaping or converting.
As for the double escaping, that can be solved by setting double encode
to false:
$this->setEscapeCallback(function($value) use ($view) {
return htmlspecialchars($value, ENT_COMPAT,
$view->getEncoding(), false);
});
No, it couldn't be solved by this trick. Because if user enters e.g.
< to a plain text field then I want to render <, not <.
There is another fundamental problem of the current approach: perfectly
sane code issuing E_NOTICE instead of printing data:
http://php.vrana.cz/defense-against-xss-in-zend-framework.php#d-12987
Jakub Vrana
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
