Auto escape variables in Zend Framework
In Zend Framework you can use the $this->escape() view helper to escape variables to protect your website against XSS attacks.
Unfortunately, there is no possibility to enable this by default so that EVERY variable is escaped by default. It’s a bit odd because some other popular frameworks like Symfony provide this by default. And Symfony 1 was released earlier than Zend Framework, so you’d think it would be picked up, but no
Ofcourse if everything is escaped by default, there are situations were variables were escaped earlier in the application like a form element. But when you build your application you will see directly that it’s broken and is double escaped.
You would get the raw value with:
Notice the “~” character. This way it’s not the other way around that everything seems to work and you manually add $this->escape() everytime. I know for sure that you WILL forget to put $this->escape() somewhere and then you have it!! A very dangerous XSS security leak!
A nice and simple way to test XSS is to assign a variable in your controller action to the view like this:
Then output it in your view like:
Over at the PiKe project we build a custom stream wrapper that automatically escapes all view variables to be safe by default against XSS, with a MINIMAL performance hit!
This entry was posted by Pieter Vogelaar on September 16, 2011 at 10:55, and is filed under PHP, Zend Framework. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.
Comment Feed for this Post
About Pieter Vogelaar (60 posts)
Hi, my name is Pieter Vogelaar. I’m a web developer / DevOps engineer / IT consultant and specialized in high traffic and high profile websites. I love open source and have a great passion for automating and developing things!