GHSA-gvpp-6jrj-5pqc: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Zend Framework 2, identified as ZF2014-03. The vulnerability affected multiple view helpers that were using the escapeHtml() view helper instead of the more appropriate escapeHtmlAttr() for escaping HTML attributes. This issue affected versions 2.0.0 through 2.2.7 and 2.3.0 through 2.3.1 of the framework (Zend Advisory).

The vulnerability stemmed from improper HTML attribute escaping in various view helpers. The affected components included all Zend\Form view helpers, most Zend\Navigation view helpers, and HTML Element view helpers (htmlFlash(), htmlPage(), htmlQuickTime()), as well as Zend\View\Helper\Gravatar. The issue occurred when user data and/or JavaScript was used to seed attributes, potentially leading to XSS attack vectors (Zend Advisory).

When exploited, this vulnerability could allow attackers to execute cross-site scripting attacks through HTML attributes in various view helpers. This could potentially lead to the execution of malicious JavaScript code in the context of the user's browser session (GitHub Advisory).

The vulnerability was patched in Zend Framework versions 2.2.7 and 2.3.1. The fix involved updating all affected view helpers to use the escapeHtmlAttr() view helper when escaping data for HTML attributes instead of escapeHtml(). Users should upgrade to these patched versions to resolve the vulnerability (Zend Advisory).

The Zend Framework team acknowledged the contributions of Evan Coury (github.com/EvanDotPro) for reporting the issue and Marco Pivetta (github.com/Ocramius) for providing a patch (Zend Advisory).