ZF-8127, ZF-6753: Secure usage of Editor dijit by default, with graceful degradation via noscript tag

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@20116 44c647ce-9c0f-0410-b52a-842ac1e357ba

documentation/manual/en/module_specs/Zend_Dojo-View-Helpers.xml

@@ -663,21 +663,19 @@ echo $view->editor('foo');
 
                     <para>
                         The Editor dijit uses an <acronym>HTML</acronym> <acronym>DIV</acronym> by
-                        default. The <classname>dijit._editor.RichText</classname> documentation
+                        default. The <classname>dijit._editor.RichText</classname> <ulink
+                            url="http://api.dojotoolkit.org/jsdoc/HEAD/dijit._editor.RichText">documentation</ulink>
                         indicates that having it built on an HTML <acronym>TEXTAREA</acronym> can
                         potentially have security implications.
                     </para>
 
                     <para>
-                        That said, there may be times when you want an Editor widget that can
-                        gracefully degrade to a <acronym>TEXTAREA</acronym>. In such situations, you
-                        can do so by passing a boolean <constant>TRUE</constant> value to the
-                        <varname>degrade</varname> parameter:
+                        In order to allow graceful degradation in environments where Javascript is
+                        unavailable, <classname>Zend_Dojo_View_Helper_Editor</classname> also wraps
+                        a <acronym>textarea</acronym> within a <acronym>noscript</acronym> tag; the
+                        content of this <acronym>textarea</acronym> will be properly escaped to
+                        avoid security vulnerability vectors.
                     </para>
-
-                    <programlisting language="php"><![CDATA[
-echo $this->editor('foo', '', array('degrade' => true));
-]]></programlisting>
                 </note>
             </listitem>
 

documentation/manual/en/ref/migration-19.xml

@@ -4,7 +4,7 @@
     <title>Zend Framework 1.9</title>
 
     <para>
-        When upgrading from a previous release to Zend Framework 1.9 or higher you
+        When upgrading from a release of Zend Framework earlier than 1.9.0 to any 1.9 release, you
         should note the following migration notes.
     </para>
 
@@ -342,7 +342,42 @@ $container = new Zend_Navigation(array(
 </ul>
 ]]></programlisting>
     </sect2>
+
+    <para>
+        Additionally, users of the 1.9 series may be affected by other changes starting in version
+        1.9.7. These are all security fixes that also have potential backwards compatibility
+        implications.
+    </para>
+
+    <sect2 id="migration.19.zend.dojo.editor">
+        <title>Zend_Dojo_View_Helper_Editor</title>
+
+        <para>
+            A slight change was made in the 1.9 series to modify the default usage of the Editor
+            dijit to use <acronym>div</acronym> tags instead of a <acronym>textarea</acronym> tag;
+            the latter usage has <ulink
+                url="http://api.dojotoolkit.org/jsdoc/HEAD/dijit._editor.RichText">security
+            implications</ulink>, and usage of <acronym>div</acronym> tags is recommended by the
+            Dojo project.
+        </para>
+
+        <para>
+            In order to still allow graceful degradation, a new <varname>degrade</varname> option
+            was added to the view helper; this would allow developers to optionally use a
+            <acronym>textarea</acronym> instead. However, this opens applications developed with
+            that usage to <acronym>XSS</acronym> vectors. In 1.9.7, we have removed this option.
+            Graceful degradation is still supported, however, via a <acronym>noscript</acronym> tag
+            that embeds a <acronym>textarea</acronym>. This solution addressess all security
+            concerns.
+        </para>
+
+        <para>
+            The takeaway is that if you were using the <varname>degrade</varname> flag, it will
+            simply be ignored at this time.
+        </para>
+    </sect2>
+
 </sect1>
 <!--
 vim:se ts=4 sw=4 et:
--->
+-->

library/Zend/Dojo/View/Helper/Editor.php

@@ -83,12 +83,10 @@ class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Dijit
             }
         }
 
-        // Use a <div> by default, but allow degradation to <textarea> on request
-        $type = 'div';
+        // Previous versions allowed specifying "degrade" to allow using a 
+        // textarea instead of a div -- but this is insecure. Removing the 
+        // parameter if set to prevent its injection in the dijit.
         if (isset($params['degrade'])) {
-            $type = ($params['degrade'])
-                  ? 'textarea'
-                  : 'div';
             unset($params['degrade']);
         }
 
@@ -116,16 +114,16 @@ class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Dijit
 
         $attribs = $this->_prepareDijit($attribs, $params, 'textarea');
 
-        $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket();
-        if ($type == 'textarea') {
-            $html .= '<textarea' . $this->_htmlAttribs($attribs) . '>'
-                   . $value
-                   . "</textarea>\n";
-        } else {
-            $html .= '<div' . $this->_htmlAttribs($attribs) . '>'
-                   . $value
-                   . "</div>\n";
-        }
+        $html  = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket();
+        $html .= '<div' . $this->_htmlAttribs($attribs) . '>'
+               . $value
+               . "</div>\n";
+
+        // Embed a textarea in a <noscript> tag to allow for graceful 
+        // degradation
+        $html .= '<noscript>'
+               . $this->view->formTextarea($hiddenId, $value, $attribs)
+               . '</noscript>';
 
         return $html;
     }

tests/Zend/Dojo/View/Helper/EditorTest.php

@@ -196,6 +196,7 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
 
     /**
      * @group ZF-6753
+     * @group ZF-8127
      */
     public function testHelperShouldUseDivByDefault()
     {
@@ -205,29 +206,12 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
 
     /**
      * @group ZF-6753
+     * @group ZF-8127
      */
-    public function testHelperShouldNotUseTextareaByDefault()
+    public function testHelperShouldOnlyUseTextareaInNoscriptTag()
     {
         $html = $this->helper->editor('foo');
-        $this->assertNotRegexp('#</?textarea[^>]*>#', $html, $html);
-    }
-
-    /**
-     * @group ZF-6753
-     */
-    public function testHelperShouldAllowDegradationViaTextareaOnDemand()
-    {
-        $html = $this->helper->editor('foo', '', array('degrade' => true));
-        $this->assertRegexp('#</?textarea[^>]*>#', $html, $html);
-    }
-
-    /**
-     * @group ZF-6753
-     */
-    public function testWhenDegradingHelperShouldUseDijitEditorDojoType()
-    {
-        $html = $this->helper->editor('foo', '', array('degrade' => true));
-        $this->assertRegexp('#</?textarea[^>]*(dojoType="dijit.Editor")[^>]*>#', $html, $html);
+        $this->assertRegexp('#<noscript><textarea[^>]*>#', $html, $html);
     }
 }