By default, using
$this->escape() in your view files makes a call to
Zend_View_Abstract::escape(). The problem with the implementation of Zend’s default escape method is that it’s a little lackluster in terms of security. It does not have any exception handling built in to combat invalid multi-byte characters or conversion of funky encodings. For this reason, I set up a drop-in replacement that’s a bit more robust and override the default by making a call to
As an added benefit, any and all Zend_Form input values run through
$this->escape() by default, meaning you will automatically see increased security from simply using this drop in replacement:
It goes without saying that nothing comes for free in Zend. In order to get this implementation up and running, you’ll also need to register a new view helper in your bootstrap file and add a new include path for your autoloader to pick up on:
You can tweak the Clean class to your liking. Right now, for instance, it will automatically strip HTML tags. If you’re using a WYSIWYG editor, this might be undesirable behavior, so removing this section would be beneficial.