-- howard chen <howac...@gmail.com> wrote (on Monday, 13 July 2009, 09:32 PM +0800): > Back to the Mar 2008, some guy posted : > http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP > > Any update on it? > > Is it possible to do XSS filtering with Zend Framework now?
Zend_View::escape() has existed since the very first incarnations, and is recommended throughout the Zend_View manual pages as the appropriate way to sanitize user output: <?php echo $this->escape($this->foo) ?> Unfortunately, I can't get to the wiki page currently (I'm working on fixing that...), but I will note: Starting with 2.0, escaping will be the default when retrieving variables from the view object, and you will need to request the raw value explicitly if you need it. This is a better approach, security-wise. Regardless, though XSS prevention has been baked in from the start. -- Matthew Weier O'Phinney Project Lead | matt...@zend.com Zend Framework | http://framework.zend.com/