Zend View - Automatically escape assigned variables

Question

The documentation for Zend_View shows an escape($var) method. It also suggests that it should be manually invoked for each variable we want to display: $this->escape($this->var);

Is there a way to extend Zend_View to automatically escape?

Answer 1

This is a risky thing to consider for two reasons.

Firstly, the type of escaping required depends on the context in which the variable is output. E.g. outputting a string in the middle of some HTML requires different characters to be escaped than outputting it within some <script> tags, or as the value of a HTML attribute.

Secondly, what would you do about objects? Consider echo $this->name vs. echo $this->user->name (where $this->user is a instance of a class). In the latter example ->name could even be a dynamically generated string that is the result of a __get() call. There's no way for this to be auto-escaped, so you end up in a situation where some of your data is auto-escaped and some hasn't. Arguably this is less secure than the out-of-the-box-escape-it-yourself approach, as it provides a false sense of security.

Answer 2

I believe this is implementable by using a custom View class that employs a custom stream handler.

Details of such an implementation are provided by Rob Allen at http://akrabat.com/zend-framework/a-view-stream-with-zend_view/.