In Zend Framework you can use the $this->escape() view helper to escape variables to protect your website against XSS attacks.

Unfortunately, there is no possibility to enable this by default so that EVERY variable is escaped by default. It’s a bit odd because some other popular frameworks like Symfony provide this by default. And Symfony 1 was released earlier than Zend Framework, so you’d think it would be picked up, but no

Ofcourse if everything is escaped by default, there are situations were variables were escaped earlier in the application like a form element. But when you More >