Additionally, users of the 1.9 series may be affected by other changes starting in version 1.9.7. These are all security fixes that also have potential backwards compatibility implications.
A slight change was made in the 1.9 series to modify the default usage of the Editor dijit to use div tags instead of a textarea tag; the latter usage has security implications, and usage of div tags is recommended by the Dojo project.
In order to still allow graceful degradation, a new
option was added to the view helper; this would allow developers to optionally use a
textarea instead. However, this opens applications developed with
that usage to XSS vectors. In 1.9.7, we have removed this option.
Graceful degradation is still supported, however, via a noscript
tag that embeds a textarea. This solution addressess all security
The takeaway is that if you were using the
degrade flag, it will
simply be ignored at this time.
In order to default to a more secure character encoding,
Zend_Filter_HtmlEntities now defaults to
UTF-8 instead of ISO-8859-1.
Additionally, because the actual mechanism is dealing with character encodings and
not character sets, two new methods have been added,
The previous methods
setCharSet() are now deprecated and proxy to the new
methods. Finally, instead of using the protected members directly within the
filter() method, these members are retrieved by their
explicit accessors. If you were extending the filter in the past, please check your
code and unit tests to ensure everything still continues to work.
Zend_Filter_StripTags contains a flag,
commentsAllowed, that, in previous versions, allowed you to
optionally whitelist HTML comments in HTML
text filtered by the class. However, this opens code enabling the flag to
XSS attacks, particularly in Internet Explorer (which allows
specifying conditional functionality via HTML comments). Starting
in version 1.9.7 (and backported to versions 1.8.5 and 1.7.9), the
commentsAllowed flag no longer has any meaning, and all
HTML comments, including those containing other
HTML tags or nested commments, will be stripped from the final
output of the filter.