No that's not my fear... My fear is that a search engines won't index my pages correctlly. A stated earlier yandex microdata validator will issue a warning and doen't understand the schema.org microdata structure. Vulnerable to XSS attacks or not, Yandex has a share over a 50% of the russian market. Therefore my page won't have the same SEO impact on the russian market as a competitors page not escaping this attribute. If Zend Framework is aimed to personal sites there is no problem at all as SEO may not be so important, but a companies page could possible have troubles if SEO is not as good as posible and even a money waster if they have aquired some SEO services and they think it's working as expected but some search engines are ignoring microdata. I really don't see what troubles could arrise from not escaping "itemtype" and "itempscope" attributes, as I don't see any reason why user input or javascript should access this two attributes. It would be nice if the attribute would selectivelly escape or not... Adding an array of non-escaped attributes or something like that. As mentioned the schema microdata would affect all helpers extending the AbstractHtmlElement and therefore would be duplicating a bunch of code just to be able to get SEO working on search engines such as yandex and addinf a perfomance downgrade which would also affect SEO as more memory would be used keeping duplicate view helpers just to avoid 2 attributes from being escaped. There is no easy work arround as the attribute code in inside the AbtractHtmlElement and therefor that would be the element to extend, but all the real helpers extend it and therefor there should be a new abstract helper and every single html object copied to and with the namespace changed in order for it to work. The other way around is allowing overriding the view plugin and completelly disable the escaper by creating a new escaper that only returns the value passed. None of them are nice solutions as creating the custom views means extra maintenance as new changes to Zend\View should be implemented on the custom view helpers as they have the same code since they cannot be extended. Leaving everithing without escaper is not the best solution... But, how could some attributes be kept without escaping? I don't want to go into every single search engine to see if the microdata get's indexed correctlly or not.
From: [email protected] Date: Mon, 18 Jan 2016 12:04:09 -0700 Subject: Re: [fw-general] Can we disable escapers for html attributes? To: [email protected] CC: [email protected] On 18 January 2016 at 11:08, Juan Pedro Gonzalez <[email protected]> wrote: By the way, there IS a problema from a SEO perspective. Using yandex microdata validator I get an error with the escaped string: "WARNING: itemtype http://schema.org/ContactPage not recognized by validator" There is no error if the itemtype is NOT escaped. Don't know if other search engines will react this way but yandex will certainly have troubles with that escaped string and, therefore, Zend Framework will ruin the SEO. :( This actually indicates that yandex microdata validator is not DOM compliant, and may even be vulnerable to XSS injections (OUCH!) when re-generating output from user input (can't verify it though, as I don't have a pentesting tool at hand). I suggest that you look at http://r12a.github.io/apps/conversion/ to check that the escaping matches your data, if that's what you fear. Also see https://jsfiddle.net/5toL1c5r/ (proper escaping) Also see https://3v4l.org/PE8hk (proper parsing via DOM compliant APIs) Hope that helps Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/
