Zend 2 Form View Helper incoherent escaping

Zend Framework 2 introduced Escaper, which has as many methods for escaping as contexts.

I do not understand just one thing. Why Zend\Form\View\Helper\AbstractHelper.php uses escapeHtml () instead of escapeHtmlAttr () for the html attribute context.

public function createAttributesString(array $attributes)
    $attributes = $this->prepareAttributes($attributes);
    $escape     = $this->getEscapeHtmlHelper();
    $strings    = array();
    foreach ($attributes as $key => $value) {
        $key = strtolower($key);
        if (!$value && isset($this->booleanAttributes[$key])) {
            // Skip boolean attributes that expect empty string as false value
            if ('' === $this->booleanAttributes[$key]['off']) {

        //check if attribute is translatable
        if (isset($this->translatableAttributes[$key]) && !empty($value)) {
            if (($translator = $this->getTranslator()) !== null) {
                $value = $translator->translate(
                        $value, $this->getTranslatorTextDomain()

        //@TODO Escape event attributes like AbstractHtmlElement view helper does in htmlAttribs ??
        $strings[] = sprintf('%s="%s"', $escape($key), $escape($value));
    return implode(' ', $strings);

I am not an expert of XSS, so please clarify this to me. I want to integrate the Zend_View (ZF1) with Zend\Escaper for project which I maintain.


The answer is: it should be using escapeHtmlAttr(), and we recently patched it: http://framework.zend.com/security/advisory/ZF2014-03

Need Your Help

php num->rows not working

php mysql mysqli

I keep getting an error, even though I am 100% sure I followed the example that is found in the PHP manual.

Commands for ImageMagick to create thumbnails

image image-processing image-manipulation imagemagick

Given an photograph uploaded by a user, what is best approach to creating a number various sized thumbnails Using ImageMagick (or GraphicsMagick)? My guess to the steps: