Many Zend Framework 2 view helpers were using the escapeHtml()
view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr()
. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
Zend\Form
view helpers.Zend\Navigation
(aka Zend\View\Helper\Navigation\*
) view helpers.htmlFlash()
, htmlPage()
, htmlQuickTime()
.Zend\View\Helper\Gravatar
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-07T20:58:08Z" }