-- howard chen <howac...@gmail.com> wrote
(on Monday, 13 July 2009, 09:32 PM +0800):
> Back to the Mar 2008, some guy posted :
> http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP
>
> Any update on it?
>
> Is it possible to do XSS filtering with Zend Framework now?
Zend_View::escape() has existed since the very first incarnations, and
is recommended throughout the Zend_View manual pages as the appropriate
way to sanitize user output:
<?php echo $this->escape($this->foo) ?>
Unfortunately, I can't get to the wiki page currently (I'm working on
fixing that...), but I will note: Starting with 2.0, escaping will be
the default when retrieving variables from the view object, and you will
need to request the raw value explicitly if you need it. This is a
better approach, security-wise.
Regardless, though XSS prevention has been baked in from the start.
--
Matthew Weier O'Phinney
Project Lead | matt...@zend.com
Zend Framework | http://framework.zend.com/
