Ondrej Ivanič-3 wrote: > > Thats sounds like a ZF version of magic_quotes... How do you want to > deal with different escaping in javascript, css, html, xml? View > script could be mix of anything i.e: I think it won't be something like magic_quotes because it is at no point secure, in my humble opinion it will be the usage of htmlspecialchars or a defined escaping-filter for the input you set.
Ondrej Ivanič-3 wrote: > For a proper automatic escaping you need an information about context > which is very hard (impossible) to get now... Sounds not impossible ;) something like: $view->setContentType(Zend_View::CONTENT_JSON); $view->addFilter(Zend_View::CONTENT_JSON, new Zend_View_Escaping_Json()); or if you define the contenttype in the view-script you could use something like this: $this->encoding(Zend_View::CONTENT_JSON); echo $this->json($this->someData); Tobias -- View this message in context: http://www.nabble.com/XSS-Prevention-with-Zend-Framework-tp24461792p24477764.html Sent from the Zend Framework mailing list archive at Nabble.com.
