Name of the Vulnerable Software and Affected Versions Zend Framework 2 (affected versions not specified)

Description The issue arises from the use of the escapeHtml() view helper instead of the more suitable escapeHtmlAttr() to escape HTML attributes in various Zend Framework 2 view helpers. This can lead to potential cross-site scripting (XSS) attack vectors, particularly when user data and/or JavaScript are used to seed attributes. The affected view helpers include all ZendForm view helpers, most ZendNavigation view helpers, all "HTML Element" view helpers such as htmlFlash(), htmlPage(), htmlQuickTime(), and ZendViewHelperGravatar.

Recommendations For all affected versions, consider updating the view helpers to use escapeHtmlAttr() instead of escapeHtml() to properly escape HTML attributes and mitigate the risk of XSS attacks. As a temporary workaround, consider restricting user input and validating data used in HTML attributes to minimize the risk of exploitation. Avoid using user data and/or JavaScript to seed attributes in the affected view helpers until the issue is resolved.