Zend Framework 2引入了Escaper,它具有与上下文一样多的转义方法。
我不明白一件事。为什么Zend''Form''View''Helper''AbstractHelper.php对html属性上下文使用escapeHtml()而不是escapeHmlAttr()。
public function createAttributesString(array $attributes)
{
$attributes = $this->prepareAttributes($attributes);
$escape = $this->getEscapeHtmlHelper();
$strings = array();
foreach ($attributes as $key => $value) {
$key = strtolower($key);
if (!$value && isset($this->booleanAttributes[$key])) {
// Skip boolean attributes that expect empty string as false value
if ('' === $this->booleanAttributes[$key]['off']) {
continue;
}
}
//check if attribute is translatable
if (isset($this->translatableAttributes[$key]) && !empty($value)) {
if (($translator = $this->getTranslator()) !== null) {
$value = $translator->translate(
$value, $this->getTranslatorTextDomain()
);
}
}
//@TODO Escape event attributes like AbstractHtmlElement view helper does in htmlAttribs ??
$strings[] = sprintf('%s="%s"', $escape($key), $escape($value));
}
return implode(' ', $strings);
}
我不是XSS的专家,所以请向我澄清这一点。我想将Zend_View(ZF1)与Zend''Escaper集成到我维护的项目中。
答案是:它应该使用escapeHtmlAttr()
,我们最近对它进行了修补:http://framework.zend.com/security/advisory/ZF2014-03