One of the most important tasks to perform in a view script is to make sure that output is escaped properly; among other things, this helps to avoid cross-site scripting attacks. Unless you are using a function, method, or helper that does escaping on its own, you should always escape variables when you output them.
Zend_View comes with a method called escape() that does such
escaping for you.
// bad view-script practice:
// good view-script practice:
By default, the escape() method uses the PHP htmlspecialchars()
function for escaping. However, depending on your environment,
you may wish for escaping to occur in a different way. Use the
setEscape() method at the controller level to tell
what escaping callback to use.
// create a Zend_View instance
$view = new Zend_View();
// tell it to use htmlentities as the escaping callback
// or tell it to use a static class method as the callback
// or even an instance method
$obj = new SomeClass();
// and then render your view
The callback function or method should take the value to be escaped as its first parameter, and all other parameters should be optional.