Auto escape variables in Zend Framework

In Zend Framework you can use the $this->escape() view helper to escape variables to protect your website against XSS attacks.

Unfortunately, there is no possibility to enable this by default so that EVERY variable is escaped by default. It’s a bit odd because some other popular frameworks like Symfony provide this by default. And Symfony 1 was released earlier than Zend Framework, so you’d think it would be picked up, but no :-(

Ofcourse if everything is escaped by default, there are situations were variables were escaped earlier in the application like a form element. But when you build your application you will see directly that it’s broken and is double escaped.

Automatically escaped:

<?= $this->form ?>

You would get the raw value with:

<?=~ $this->form ?>

Notice the “~” character. This way it’s not the other way around that everything seems to work and you manually add $this->escape() everytime. I know for sure that you WILL forget to put $this->escape() somewhere and then you have it!! A very dangerous XSS security leak!

A nice and simple way to test XSS is to assign a variable in your controller action to the view like this:

$this->view->test = '<body onload="alert(\'XSS\')">';

Then output it in your view like:

<?= $this->test ?>

Or:

<?php echo $this->test ?>

Over at the PiKe project we build a custom stream wrapper that automatically escapes all view variables to be safe by default against XSS, with a MINIMAL performance hit!
Checkout Pike_View_Stream

Tags: ,,,,,