Hey David, Template parameter placeholders shouldn't really be part of the user input, should they? I think you had a quite bad security issue upfront there ;-)
If you really need unescaped strings, then you could eventually override the `escapeHtmlAttr` helper, but be reeeeeeeeeeeeally careful about what you are doing. I won't take responsibility for any security issues introduced by doing that. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ On 22 May 2014 07:15, David Muir <[email protected]> wrote: > The security fix broke our javascript templates that contained form > elements. :-( > All the curly braces in attributes are being converted to html entities, so > our string replace calls aren't finding the braces anymore. Is there a way > to easily get the old behaviour? > > Cheers, > David > > > > > On Wed, Apr 16, 2014 at 6:16 AM, Matthew Weier O'Phinney > <[email protected]>wrote: > > > We've just pushed out several new releases: > > > > - Zend Framework 1.12.6: This fixes a BC break with regards to a > > number of Locales that was introduced in 1.12.4; you can read about it > > at http://bit.ly/zf-1-12-6 > > > > - Zend Framework 2.2.7 and Zend Framework 2.3.1: These fix a security > > issue reported at > > http://framework.zend.com/security/advisory/ZF2014-03 - a potential > > XSS vulnerability in a number of ZF2 view helpers. Additionally, ZF > > 2.3.1 contains more than 80 bugfixes; you can read about these > > releases at http://bit.ly/zf-2-3-1 > > > > If you are using ZF2, and specifically view helpers, we highly > > recommend upgrading to either 2.2.7 or 2.3.1 ASAP. > > > > Packages are available via composer, pyrus, or > > http://framework.zend.com/downloads/latest > > > > -- > > Matthew Weier O'Phinney > > Project Lead | [email protected] > > Zend Framework | http://framework.zend.com/ > > PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc > > > > -- > > List: [email protected] > > Info: http://framework.zend.com/archives > > Unsubscribe: [email protected] > > > > > > >
