Archive for March, 2009

Zend Framework in the Enterprise

Jim Plush has written a good article on why he chose Zend Framework for Enterprise usage.

He talks about the problems maintaining multiple sites in different technologies and lists the key reasons that he decided on Zend Framework including that there are books available.

He also covers development practices that he uses to help maintain the quality of the code.

Well worth a read.

Posted by Rob on 26th March 2009 under Around the web | Comments Off

Zend_Filter_StripTags Security Advisory

Wil Sinclair posted this to the Zend Framework announcements mailing list:

The Zend Framework team was recently notified of an XSS attack vector in its ZendFilterStripTags class. ZendFilterStripTags offers the ability to strip HTML tags from text, but also to selectively choose which tags and specific attributes of those tags to keep.

The XSS attack vector was due to a bug in matching HTML tag attributes to retain. If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters, the attribute would always be included in the final output- even if it was not marked to retain.

A security fix has been created and released with Zend Framework 1.7.7.

Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.

The Zend Framework team strongly recommends upgrading to version 1.7.7. If you cannot upgrade at this time, we recommend exporting from the release branch matching the minor release you are currently using, or downloading the file listed below and pushing it into your Zend Framework installation.

http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php

Thank you.

,Wil

Posted by Rob on 20th March 2009 under News | Comments Off

Manning is on Twitter!

It turns out that Manning, the publisher of Zend Framework in Action is on Twitter!

It also turns out that they’ve put up a sample of the book on Scribed! Check out the book, then order it, remembering to use the coupon code scribd25

Posted by Rob on 19th March 2009 under The Book | Comments Off

Zend_Form_Element_Hash and CRSF

I’m a little behind on this one, but earlier this month, Tom Graham posted an article on preventing CRSF properly by sending back a 403 Forbidden if the ZendFormElement_Hash validation fails.

Well worth a read.

Posted by Rob on 14th March 2009 under Around the web | Comments Off

Pros and cons of the ActionStack

Whilst, Zend Framework in Action covers how to use the ActionStack front controller plugin, there are distinct disadvantages to using it. These are not covered in the book, however, Ryan Mauger has posted an article on why the ActionStack is evil.

Everyone should read it. Then if you decide to use the ActionStack, you are aware of the trade-offs.

Posted by Rob on 12th March 2009 under Around the web | Comments Off