Potential XSS vectors due to inconsistent encodingsĪ number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters.
The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA. Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV. Potential XSS vector in Zend_Dojo_View_Helper_Editor By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Potential XSS vector in Zend_Filter_StripTags when comments allowed Using user provided information for a file’s MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. In certain situations where either PHP’s ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. Potential MIME-type Injection in Zend_File_Transfer Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA’s email argument. Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Potential XSS vector in Zend_Service_ReCaptcha_MailHide Zend_Json_Encoder was not taking into account the solidus character (“/”) during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string. Potential XSS or HTML Injection vector in Zend_Json
The following security vulnerabilities are resolved in these releases: In addition to over 40 bugfixes between them, these three releases are the first releases resolve six security vulnerabilities reported against Zend Framework in recent weeks.
#Zend json helper how to
and the FeedStrategy producing an RSS feed response.įor example, let's show how to use JsonStrategy to return JSON response from a controller action.įirst, you'll need to register the strategy in versions of the Zend Framework, 1.9.7, 1.8.5, and 1.7.9, have been released.the JsonStrategy producing an JSON response.the default one (also known as PhpRendererStrategy).So, ZF3 provides three view rendering strategies out of the box: But sometimes you may need to return something else, for example, aĪ response in JSON format is typically returned when you implement some kind of API (Application Programming Interface).ĪPI is used to retrieve some the data in machine-readable format.Ī response in RSS feed format is typically used to publish frequently changing information, like blog posts or news. This strategy works well in 99% of cases. phtml view template is rendered with the help of PhpRenderer class living in Zend\View\Renderer A rendering strategy determines how the page will be rendered.
0 kommentar(er)
