Matthew, thank you very much for a meaningful answer.
I believe that the correct solution should be consistent and predictable in the first case. So it is OK to tell developers: "You must escape all your output, it is solely your responsibility. Here's a handy default implementation for escaping free text in XML/HTML. Or you can use external tool if you wish."
But it is not OK to tell: "We will automatically escape some output so you must not escape it yourself to avoid double escaping. But we will not escape everything so you must manually escape the rest to avoid XSS. And BTW, it throws E_NOTICE instead of printing text sometimes."
If you don't want to bundle full blown templating engine then I think that it is a valid decision to require all escaping from developers - especially if you allow usage of external templating engines for developers who are not comfortable with the low level approach.
There's not much you must do to validate free text. I hope that I've made it perfectly clear at http://php.vrana.cz/defense-against-xss-in-zend-framework.php#d-13003
There are other problems related to this topic in ZF2 (e.g. double escaping in Sitemap) but I think that removing the semi-automatic escaping and changing the default escaping function to use ENT_QUOTES would be a great start.
-- Jakub Vrana -- List: [email protected] Info: http://framework.zend.com/archives Unsubscribe: [email protected]
