Zend-Navigation vulnerable to Cross-site Scripting
Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors. Vulnerable view helpers include: All Zend\Form view helpers. Most Zend\Navigation (aka Zend\View\Helper\Navigation*) view helpers. All "HTML Element" view helpers: htmlFlash(), htmlPage(), htmlQuickTime(). Zend\View\Helper\Gravatar