ZF-8029: backport r18550 to trunk

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@18551 44c647ce-9c0f-0410-b52a-842ac1e357ba

library/Zend/Controller/Router/Route/Module.php

@@ -233,9 +233,10 @@ class Zend_Controller_Router_Route_Module extends Zend_Controller_Router_Route_A
         unset($params[$this->_actionKey]);
 
         foreach ($params as $key => $value) {
+            $key = ($encode) ? urlencode($key) : $key;
             if (is_array($value)) {
                 foreach ($value as $arrayValue) {
-                    if ($encode) $arrayValue = urlencode($arrayValue);
+                    $arrayValue = ($encode) ? urlencode($arrayValue) : $arrayValue;
                     $url .= '/' . $key;
                     $url .= '/' . $arrayValue;
                 }

tests/Zend/Controller/Router/Route/ModuleTest.php

@@ -475,6 +475,21 @@ class Zend_Controller_Router_Route_ModuleTest extends PHPUnit_Framework_TestCase
         $this->assertSame('ctrl', $values['c'], var_export(array_keys($values), 1));
         $this->assertSame('index', $values['a'], var_export(array_keys($values), 1));
     }
+
+    /**
+     * @group ZF-8029
+     */
+    public function testAssembleShouldUrlEncodeAllParameterNames()
+    {
+        $params = array(
+            'controller' => 'foo',
+            'action' => 'bar',
+            '"><script>alert(11639)<' => 'script>',
+            'module' => 'default',
+        );
+        $url = $this->route->assemble($params);
+        $this->assertNotContains('"><script>alert(11639)<', $url);
+    }
 }
 
 // Call Zend_Controller_Router_Route_ModuleTest::main() if this source file is executed directly.