Development PHP Zend Framework

Authored by Corey Ballou

Override the Default Zend Escape Method

By default, using $this->escape() in your view files makes a call to Zend_View_Abstract::escape(). The problem with the implementation of Zend’s default escape method is that it’s a little lackluster in terms of security. It does not have any exception handling built in to combat invalid multi-byte characters or conversion of funky encodings. For this reason, I set up a drop-in replacement that’s a bit more robust and override the default by making a call to Zend_View_Abstract::setEscape().

As an added benefit, any and all Zend_Form input values run through $this->escape() by default, meaning you will automatically see increased security from simply using this drop in replacement:

It goes without saying that nothing comes for free in Zend. In order to get this implementation up and running, you’ll also need to register a new view helper in your bootstrap file and add a new include path for your autoloader to pick up on:

You can tweak the Clean class to your liking. Right now, for instance, it will automatically strip HTML tags. If you’re using a WYSIWYG editor, this might be undesirable behavior, so removing this section would be beneficial.

Author: Corey Ballou

Corey Ballou is the CEO of Whether you're a student, young professional, entrepreneur, startup, or small business, you can be up and online fast with your own custom domain, email, and webpage on POP. Corey is a professional PHP developer by trade, specializing in custom web applications development for startups, small businesses, and agencies. Follow Corey on Twitter @cballou.