Merge branch 'security/escaper-usage'

Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.

src/Helper/HeadStyle.php

@@ -311,6 +311,7 @@ public function itemToString(stdClass $item, $indent)
             ) {
                 $enc = $this->view->getEncoding();
             }
+            $escaper = $this->getEscaper($enc);
             foreach ($item->attributes as $key => $value) {
                 if (!in_array($key, $this->optionalAttributes)) {
                     continue;
@@ -333,7 +334,7 @@ public function itemToString(stdClass $item, $indent)
                         $value = substr($value, 0, -1);
                     }
                 }
-                $attrString .= sprintf(' %s="%s"', $key, htmlspecialchars($value, ENT_COMPAT, $enc));
+                $attrString .= sprintf(' %s="%s"', $key, $escaper->escapeHtmlAttr($value));
             }
         }
 

src/Helper/Navigation/Sitemap.php

@@ -242,14 +242,8 @@ public function getServerUrl()
      */
     protected function xmlEscape($string)
     {
-        $enc = 'UTF-8';
-        if ($this->view instanceof View\Renderer\RendererInterface
-            && method_exists($this->view, 'getEncoding')
-        ) {
-            $enc = $this->view->getEncoding();
-        }
-
-        return htmlspecialchars($string, ENT_QUOTES, $enc, false);
+        $escaper = $this->view->plugin('escapeHtml');
+        return $escaper($string);
     }
 
     // Public methods:

src/Helper/Placeholder/Container/AbstractStandalone.php

@@ -10,8 +10,10 @@
 
 namespace Zend\View\Helper\Placeholder\Container;
 
+use Zend\Escaper\Escaper;
 use Zend\View\Exception;
 use Zend\View\Helper\Placeholder\Registry;
+use Zend\View\Renderer\RendererInterface;
 
 /**
  * Base class for targeted placeholder helpers
@@ -28,6 +30,11 @@ abstract class AbstractStandalone
      */
     protected $container;
 
+    /**
+     * @var Escaper[]
+     */
+    protected $escapers = array();
+
     /**
      * @var \Zend\View\Helper\Placeholder\Registry
      */
@@ -78,6 +85,35 @@ public function setRegistry(Registry $registry)
         return $this;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return AbstractStandalone
+     */
+    public function setEscaper(Escaper $escaper)
+    {
+        $encoding = $escaper->getEncoding();
+        $this->escapers[$encoding] = $escaper;
+        return $this;
+    }
+
+    /**
+     * Get Escaper instance
+     *
+     * Lazy-loads one if none available
+     *
+     * @return mixed
+     */
+    public function getEscaper($enc = 'UTF-8')
+    {
+        $enc = strtolower($enc);
+        if (!isset($this->escapers[$enc])) {
+            $this->setEscaper(new Escaper($enc));
+        }
+        return $this->escapers[$enc];
+    }
+
     /**
      * Set whether or not auto escaping should be used
      *
@@ -108,23 +144,16 @@ public function getAutoEscape()
      */
     protected function escape($string)
     {
-        $enc = 'UTF-8';
-        if ($this->view instanceof \Zend\View\Renderer\RendererInterface
+        if ($this->view instanceof RendererInterface
             && method_exists($this->view, 'getEncoding')
         ) {
-            $enc = $this->view->getEncoding();
+            $enc     = $this->view->getEncoding();
             $escaper = $this->view->plugin('escapeHtml');
             return $escaper((string) $string);
         }
-        /**
-         * bump this out to a protected method to kill the instance penalty!
-         */
-        $escaper = new \Zend\Escaper\Escaper($enc);
+
+        $escaper = $this->getEscaper();
         return $escaper->escapeHtml((string) $string);
-        /**
-         * Replaced to ensure consistent escaping
-         */
-        //return htmlspecialchars((string) $string, ENT_COMPAT, $enc);
     }
 
     /**