On 18 January 2016 at 10:12, Juan Pedro Gonzalez [via Zend Framework Community] <[email protected]> wrote:
> I don't understand the impact of having some non-escaped attributes. That is indeed why security experts worked on this (specifically, we fixed this in 2014: http://framework.zend.com/security/advisory/ZF2014-03 ). > For example, the "url" view helper won't escape the "href" tag, however > the "navigation" helper (More preciselly the "menu" plugin inside that view > helper) will escape the "href" tag. This is a valid point, and we should probably secure this endpoint as well (adding escaping). Please see http://framework.zend.com/security/, or else I'll try inspecting if it is an immediate attack vector. Further discussion about this shouldn't be continued on the public mailing list though. > The "itemtype" attribute of for schema.org is simply an absoulte url and > it gets escaped... An absolute URL provided by whom? The navigation view helpers don't know that. > I may understand someone will wnt to escape the translated texts inside > the "alt" atrribute, or something like that, but also not to escape some > other attributes... Even the class names inside the "menu" plugin of the > "navigtion" view helper get escaped. If the browser is homebrewed and > hasn't taken care of it the output may get ruined. > The navigation component HAS to treat anything like user input, since it is a general purpose component. > IMHO a framework should be so much involved on the output as it seems hard > to sutomize this issue. Disagree: ZF2 is quite disengaged on this as well, as the escaping is usually added by users, unless they use our own internal helpers. > If I'm not mistaken, in order to get non-escaped attributes I should write > my own view helpers... Unescaped attributes must be ABSOLUTELY avoided unless the output data is not dynamically defined. > As the MVC module will load the Zend\View View Helpers that means that in > order to lower the resource I should also avoid using the Zend\Mvc > namespace or, atleast change all the files under Zend\Mvc\Services to use > my own so it will load my own application with my own services and, this > way loading my custom ViewHelpers without loading Zend's. ¡That's a hell of > task! But if I wish to maintain control over my output there seems to be > no other solution. Atleast sticking to Zend Framework. > I really don't understand the reason to enforce attribute escaping. I repeat: that's why this is done by security experts (that understand the domain of security and escaping), and not by general users. Cheers, Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/
