From 0a78cb2b633a618ac514eadef2c19ef78b1e12f2 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 13:10:59 -0500
Subject: [PATCH 1/9] Patch Zend\Tag\Cloud\Decorator\HtmlCloud to use Escaper

- Modified HtmlCloud to use Escaper internally (and to allow composing
  an Escaper instance)
- Validate HTML element names and attribute names before using them.
---
 .../Zend/Tag/Cloud/Decorator/HtmlCloud.php    | 76 ++++++++++++++++++-
 .../InvalidAttributeNameException.php         | 16 ++++
 .../Exception/InvalidElementNameException.php | 16 ++++
 library/Zend/Tag/composer.json                |  5 +-
 tests/ZendTest/Tag/Cloud/CloudTest.php        |  4 +-
 .../Tag/Cloud/Decorator/HtmlCloudTest.php     | 61 ++++++++++++++-
 6 files changed, 169 insertions(+), 9 deletions(-)
 create mode 100644 library/Zend/Tag/Exception/InvalidAttributeNameException.php
 create mode 100644 library/Zend/Tag/Exception/InvalidElementNameException.php

diff --git a/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php b/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
index b0429469563..6f017519668 100644
--- a/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
+++ b/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
@@ -10,6 +10,9 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
+use Zend\Escaper\Escaper;
+use Zend\Tag\Exception;
+
 /**
  * Simple HTML decorator for clouds
  *
@@ -23,6 +26,11 @@ class HtmlCloud extends AbstractCloud
      */
     protected $encoding = 'UTF-8';
 
+    /**
+     * @var Escaper
+     */
+    protected $escaper;
+
     /**
      * List of HTML tags
      *
@@ -61,6 +69,33 @@ public function setEncoding($value)
         return $this;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return HtmlCloud
+     */
+    public function setEscaper($escaper)
+    {
+        $this->escaper = $escaper;
+        return $this;
+    }
+    
+    /**
+     * Retrieve Escaper instance
+     *
+     * If none registered, instantiates and registers one using current encoding.
+     *
+     * @return Escaper
+     */
+    public function getEscaper()
+    {
+        if (null === $this->escaper) {
+            $this->setEscaper(new Escaper($this->getEncoding()));
+        }
+        return $this->escaper;
+    }
+
     /**
      * Set the HTML tags surrounding all tags
      *
@@ -122,17 +157,20 @@ public function render($tags)
         }
         $cloudHTML = implode($this->getSeparator(), $tags);
 
-        $enc = $this->getEncoding();
+        $escaper = $this->getEscaper();
         foreach ($this->getHTMLTags() as $key => $data) {
             if (is_array($data)) {
                 $htmlTag    = $key;
+                $this->validateElementName($htmlTag);
                 $attributes = '';
 
                 foreach ($data as $param => $value) {
-                    $attributes .= ' ' . $param . '="' . htmlspecialchars($value, ENT_COMPAT, $enc) . '"';
+                    $this->validateAttributeName($param);
+                    $attributes .= ' ' . $param . '="' . $escaper->escapeHtmlAttr($value) . '"';
                 }
             } else {
                 $htmlTag    = $data;
+                $this->validateElementName($htmlTag);
                 $attributes = '';
             }
 
@@ -141,4 +179,38 @@ public function render($tags)
 
         return $cloudHTML;
     }
+
+    /**
+     * Validate an HTML element name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidElementNameException
+     */
+    protected function validateElementName($name)
+    {
+        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
+            throw new Exception\InvalidElementNameException(sprintf(
+                '%s: Invalid element name "%s" provided; please provide valid HTML element names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
+
+    /**
+     * Validate an HTML attribute name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidAttributeNameException
+     */
+    protected function validateAttributeName($name)
+    {
+        if (!preg_match('/^[a-z_:][-a-z0-9_:.]*$/i', $name)) {
+            throw new Exception\InvalidAttributeNameException(sprintf(
+                '%s: Invalid HTML attribute name "%s" provided; please provide valid HTML attribute names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
 }
diff --git a/library/Zend/Tag/Exception/InvalidAttributeNameException.php b/library/Zend/Tag/Exception/InvalidAttributeNameException.php
new file mode 100644
index 00000000000..41288292adc
--- /dev/null
+++ b/library/Zend/Tag/Exception/InvalidAttributeNameException.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @package   Zend_Tag
+ */
+
+namespace Zend\Tag\Exception;
+
+use DomainException;
+
+class InvalidAttributeNameException extends DomainException implements ExceptionInterface
+{}
diff --git a/library/Zend/Tag/Exception/InvalidElementNameException.php b/library/Zend/Tag/Exception/InvalidElementNameException.php
new file mode 100644
index 00000000000..0adce5e805c
--- /dev/null
+++ b/library/Zend/Tag/Exception/InvalidElementNameException.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @package   Zend_Tag
+ */
+
+namespace Zend\Tag\Exception;
+
+use DomainException;
+
+class InvalidElementNameException extends DomainException implements ExceptionInterface
+{}
diff --git a/library/Zend/Tag/composer.json b/library/Zend/Tag/composer.json
index 7e9e99662b6..8014f15a679 100644
--- a/library/Zend/Tag/composer.json
+++ b/library/Zend/Tag/composer.json
@@ -13,6 +13,7 @@
     },
     "target-dir": "Zend/Tag",
     "require": {
-        "php": ">=5.3.3"
+        "php": ">=5.3.3",
+        "zendframework/zend-escaper": "self.version"
     }
-}
\ No newline at end of file
+}
diff --git a/tests/ZendTest/Tag/Cloud/CloudTest.php b/tests/ZendTest/Tag/Cloud/CloudTest.php
index b22690bb6a9..0b8b07438bc 100644
--- a/tests/ZendTest/Tag/Cloud/CloudTest.php
+++ b/tests/ZendTest/Tag/Cloud/CloudTest.php
@@ -208,7 +208,7 @@ public function testSkipOptions()
     public function testRender()
     {
         $cloud    = $this->_getCloud(array('tags' => array(array('title' => 'foo', 'weight' => 1), array('title' => 'bar', 'weight' => 3))));
-        $expected = '<ul class="Zend\Tag\Cloud">'
+        $expected = '<ul class="Zend&#x5C;Tag&#x5C;Cloud">'
                   . '<li><a href="" style="font-size: 10px;">foo</a></li> '
                   . '<li><a href="" style="font-size: 20px;">bar</a></li>'
                   . '</ul>';
@@ -224,7 +224,7 @@ public function testRenderEmptyCloud()
     public function testRenderViaToString()
     {
         $cloud = $this->_getCloud(array('tags' => array(array('title' => 'foo', 'weight' => 1), array('title' => 'bar', 'weight' => 3))));
-        $expected = '<ul class="Zend\Tag\Cloud">'
+        $expected = '<ul class="Zend&#x5C;Tag&#x5C;Cloud">'
                   . '<li><a href="" style="font-size: 10px;">foo</a></li> '
                   . '<li><a href="" style="font-size: 20px;">bar</a></li>'
                   . '</ul>';
diff --git a/tests/ZendTest/Tag/Cloud/Decorator/HtmlCloudTest.php b/tests/ZendTest/Tag/Cloud/Decorator/HtmlCloudTest.php
index 9ddfe385b7f..53b1efb0bff 100644
--- a/tests/ZendTest/Tag/Cloud/Decorator/HtmlCloudTest.php
+++ b/tests/ZendTest/Tag/Cloud/Decorator/HtmlCloudTest.php
@@ -25,7 +25,7 @@ public function testDefaultOutput()
     {
         $decorator = new Decorator\HtmlCloud();
 
-        $this->assertEquals('<ul class="Zend\Tag\Cloud">foo bar</ul>', $decorator->render(array('foo', 'bar')));
+        $this->assertEquals('<ul class="Zend&#x5C;Tag&#x5C;Cloud">foo bar</ul>', $decorator->render(array('foo', 'bar')));
     }
 
     public function testNestedTags()
@@ -41,7 +41,7 @@ public function testSeparator()
         $decorator = new Decorator\HtmlCloud();
         $decorator->setSeparator('-');
 
-        $this->assertEquals('<ul class="Zend\Tag\Cloud">foo-bar</ul>', $decorator->render(array('foo', 'bar')));
+        $this->assertEquals('<ul class="Zend&#x5C;Tag&#x5C;Cloud">foo-bar</ul>', $decorator->render(array('foo', 'bar')));
     }
 
     public function testConstructorWithArray()
@@ -71,5 +71,60 @@ public function testSkipOptions()
         $decorator = new Decorator\HtmlCloud(array('options' => 'foobar'));
         // In case would fail due to an error
     }
-}
 
+    public function invalidHtmlTagProvider()
+    {
+        return array(
+            array(array('_foo')),
+            array(array('&foo')),
+            array(array(' foo')),
+            array(array(' foo')),
+            array(array(
+                '_foo' => array(),
+            )),
+        );
+    }
+
+    /**
+     * @dataProvider invalidHtmlTagProvider
+     */
+    public function testInvalidHtmlTagsRaiseAnException($tags)
+    {
+        $decorator = new Decorator\HtmlCloud();
+        $decorator->setHTMLTags($tags);
+        $this->setExpectedException('Zend\Tag\Exception\InvalidElementNameException');
+        $decorator->render(array());
+    }
+
+    public function invalidAttributeProvider()
+    {
+        return array(
+            array(array(
+                'foo' => array(
+                    '&bar' => 'baz',
+                ),
+            )),
+            array(array(
+                'foo' => array(
+                    ':bar&baz' => 'bat',
+                ),
+            )),
+            array(array(
+                'foo' => array(
+                    'bar/baz' => 'bat',
+                ),
+            )),
+        );
+    }
+
+    /**
+     * @dataProvider invalidAttributeProvider
+     */
+    public function testInvalidAttributeNamesRaiseAnException($tags)
+    {
+        $decorator = new Decorator\HtmlCloud();
+        $decorator->setHTMLTags($tags);
+        $this->setExpectedException('Zend\Tag\Exception\InvalidAttributeNameException');
+        $decorator->render(array());
+    }
+}

From 6f57175753a238388b4811b9b0786b6d5866a208 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 14:20:10 -0500
Subject: [PATCH 2/9] Refactored Zend\Tag\Cloud\Decorator\HtmlTag to use
 Escaper

- Uses Escaper to escape attributes, URLs for hrefs, and tag titles
- Validates HTML element names and attribute names
---
 library/Zend/Tag/Cloud/Decorator/HtmlTag.php  |  82 ++++++++++++-
 .../Tag/Cloud/Decorator/HtmlTagTest.php       | 115 +++++++++++++-----
 2 files changed, 159 insertions(+), 38 deletions(-)

diff --git a/library/Zend/Tag/Cloud/Decorator/HtmlTag.php b/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
index de8b9a2e4d2..8f66f0e0775 100644
--- a/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
+++ b/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
@@ -10,7 +10,9 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
+use Zend\Escaper\Escaper;
 use Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException;
+use Zend\Tag\Exception;
 use Zend\Tag\ItemList;
 
 /**
@@ -34,6 +36,11 @@ class HtmlTag extends AbstractTag
      */
     protected $encoding = 'UTF-8';
 
+    /**
+     * @var Escaper
+     */
+    protected $escaper;
+
     /**
      * Unit for the fontsize
      *
@@ -129,6 +136,33 @@ public function setEncoding($value)
         return $this;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return HtmlTag
+     */
+    public function setEscaper($escaper)
+    {
+        $this->escaper = $escaper;
+        return $this;
+    }
+    
+    /**
+     * Retrieve Escaper instance
+     *
+     * If none registered, instantiates and registers one using current encoding.
+     *
+     * @return Escaper
+     */
+    public function getEscaper()
+    {
+        if (null === $this->escaper) {
+            $this->setEscaper(new Escaper($this->getEncoding()));
+        }
+        return $this->escaper;
+    }
+
     /**
      * Set the font size unit
      *
@@ -260,26 +294,30 @@ public function render($tags)
         $result = array();
 
         $enc = $this->getEncoding();
+        $escaper = $this->getEscaper();
         foreach ($tags as $tag) {
             if (null === ($classList = $this->getClassList())) {
                 $attribute = sprintf('style="font-size: %d%s;"', $tag->getParam('weightValue'), $this->getFontSizeUnit());
             } else {
-                $attribute = sprintf('class="%s"', htmlspecialchars($tag->getParam('weightValue'), ENT_COMPAT, $enc));
+                $attribute = sprintf('class="%s"', $escaper->escapeHtmlAttr($tag->getParam('weightValue')));
             }
 
-            $tagHTML = sprintf('<a href="%s" %s>%s</a>', htmlSpecialChars($tag->getParam('url'), ENT_COMPAT, $enc), $attribute, $tag->getTitle());
+            $tagHTML = sprintf('<a href="%s" %s>%s</a>', $escaper->escapeHtml($tag->getParam('url')), $attribute, $escaper->escapeHtml($tag->getTitle()));
 
             foreach ($this->getHTMLTags() as $key => $data) {
                 if (is_array($data)) {
-                    $htmlTag    = $key;
                     $attributes = '';
+                    $htmlTag    = $key;
+                    $this->validateElementName($htmlTag);
 
                     foreach ($data as $param => $value) {
-                        $attributes .= ' ' . $param . '="' . htmlspecialchars($value, ENT_COMPAT, $enc) . '"';
+                        $this->validateAttributeName($param);
+                        $attributes .= ' ' . $param . '="' . $escaper->escapeHtmlAttr($value) . '"';
                     }
                 } else {
-                    $htmlTag    = $data;
                     $attributes = '';
+                    $htmlTag    = $data;
+                    $this->validateElementName($htmlTag);
                 }
 
                 $tagHTML = sprintf('<%1$s%3$s>%2$s</%1$s>', $htmlTag, $tagHTML, $attributes);
@@ -290,4 +328,38 @@ public function render($tags)
 
         return $result;
     }
+
+    /**
+     * Validate an HTML element name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidElementNameException
+     */
+    protected function validateElementName($name)
+    {
+        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
+            throw new Exception\InvalidElementNameException(sprintf(
+                '%s: Invalid element name "%s" provided; please provide valid HTML element names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
+
+    /**
+     * Validate an HTML attribute name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidAttributeNameException
+     */
+    protected function validateAttributeName($name)
+    {
+        if (!preg_match('/^[a-z_:][-a-z0-9_:.]*$/i', $name)) {
+            throw new Exception\InvalidAttributeNameException(sprintf(
+                '%s: Invalid HTML attribute name "%s" provided; please provide valid HTML attribute names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
 }
diff --git a/tests/ZendTest/Tag/Cloud/Decorator/HtmlTagTest.php b/tests/ZendTest/Tag/Cloud/Decorator/HtmlTagTest.php
index 7f4e7c493e0..ff11454297b 100644
--- a/tests/ZendTest/Tag/Cloud/Decorator/HtmlTagTest.php
+++ b/tests/ZendTest/Tag/Cloud/Decorator/HtmlTagTest.php
@@ -10,9 +10,9 @@
 
 namespace ZendTest\Tag\Cloud\Decorator;
 
-use	Zend\Tag,
-    Zend\Tag\Cloud\Decorator,
-    Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException;
+use	Zend\Tag;
+use Zend\Tag\Cloud\Decorator;
+use Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException;
 
 /**
  * @category   Zend
@@ -74,60 +74,40 @@ public function testEmptyClassList()
     {
         $decorator = new Decorator\HtmlTag();
 
-        try {
-            $decorator->setClassList(array());
-            $this->fail('An expected Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException was not raised');
-        } catch (InvalidArgumentException $e) {
-            $this->assertEquals($e->getMessage(), 'Classlist is empty');
-        }
+        $this->setExpectedException('Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException', 'Classlist is empty');
+        $decorator->setClassList(array());
     }
 
     public function testInvalidClassList()
     {
         $decorator = new Decorator\HtmlTag();
 
-        try {
-            $decorator->setClassList(array(array()));
-            $this->fail('An expected Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException was not raised');
-        } catch (InvalidArgumentException $e) {
-            $this->assertEquals($e->getMessage(), 'Classlist contains an invalid classname');
-        }
+        $this->setExpectedException('Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException', 'Classlist contains an invalid classname');
+        $decorator->setClassList(array(array()));
     }
 
     public function testInvalidFontSizeUnit()
     {
         $decorator = new Decorator\HtmlTag();
 
-        try {
-            $decorator->setFontSizeUnit('foo');
-            $this->fail('An expected Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException was not raised');
-        } catch (InvalidArgumentException $e) {
-            $this->assertEquals($e->getMessage(), 'Invalid fontsize unit specified');
-        }
+        $this->setExpectedException('Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException', 'Invalid fontsize unit specified');
+        $decorator->setFontSizeUnit('foo');
     }
 
     public function testInvalidMinFontSize()
     {
         $decorator = new Decorator\HtmlTag();
 
-        try {
-            $decorator->setMinFontSize('foo');
-            $this->fail('An expected Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException was not raised');
-        } catch (InvalidArgumentException $e) {
-            $this->assertEquals($e->getMessage(), 'Fontsize must be numeric');
-        }
+        $this->setExpectedException('Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException', 'Fontsize must be numeric');
+        $decorator->setMinFontSize('foo');
     }
 
     public function testInvalidMaxFontSize()
     {
         $decorator = new Decorator\HtmlTag();
 
-        try {
-            $decorator->setMaxFontSize('foo');
-            $this->fail('An expected Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException was not raised');
-        } catch (InvalidArgumentException $e) {
-            $this->assertEquals($e->getMessage(), 'Fontsize must be numeric');
-        }
+        $this->setExpectedException('Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException', 'Fontsize must be numeric');
+        $decorator->setMaxFontSize('foo');
     }
 
     public function testConstructorWithArray()
@@ -173,4 +153,73 @@ protected function _getTagList()
 
         return $list;
     }
+
+    public function getTags()
+    {
+        $tags = new Tag\ItemList();
+        $tags[] = new Tag\Item(array(
+            'title' => 'tag',
+            'weight' => 1,
+            'params' => array(
+                'url' => 'http://testing',
+            ),
+        ));
+        return $tags;
+    }
+
+    public function invalidHtmlElementProvider()
+    {
+        return array(
+            array(array('_foo')),
+            array(array('&foo')),
+            array(array(' foo')),
+            array(array(' foo')),
+            array(array(
+                '_foo' => array(),
+            )),
+        );
+    }
+
+    /**
+     * @dataProvider invalidHtmlElementProvider
+     */
+    public function testInvalidElementNamesRaiseAnException($tags)
+    {
+        $decorator = new Decorator\HtmlTag();
+        $decorator->setHTMLTags($tags);
+        $this->setExpectedException('Zend\Tag\Exception\InvalidElementNameException');
+        $decorator->render($this->getTags());
+    }
+
+    public function invalidAttributeProvider()
+    {
+        return array(
+            array(array(
+                'foo' => array(
+                    '&bar' => 'baz',
+                ),
+            )),
+            array(array(
+                'foo' => array(
+                    ':bar&baz' => 'bat',
+                ),
+            )),
+            array(array(
+                'foo' => array(
+                    'bar/baz' => 'bat',
+                ),
+            )),
+        );
+    }
+
+    /**
+     * @dataProvider invalidAttributeProvider
+     */
+    public function testInvalidAttributesRaiseAnException($tags)
+    {
+        $decorator = new Decorator\HtmlTag();
+        $decorator->setHTMLTags($tags);
+        $this->setExpectedException('Zend\Tag\Exception\InvalidAttributeNameException');
+        $decorator->render($this->getTags());
+    }
 }

From 47557dbb9187cfa6bb779233cd31821e308b5410 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 15:16:47 -0500
Subject: [PATCH 3/9] Refactor Zend\Tag\Cloud decorators

- Move all common functionality to AbstractDecorator
  - constructor
  - setOptions implementation
  - encoding implementation
  - escaper implementation
  - validate html element and attribute names implementation
  - wrap HTML in additional tags implementation
- AbstractCloud extends AbstractDecorator
- AbstractTag extends AbstractDecorator
- HtmlCloud and HtmlTag simplified to remove common code
---
 .../Tag/Cloud/Decorator/AbstractCloud.php     |  52 +----
 .../Tag/Cloud/Decorator/AbstractDecorator.php | 190 ++++++++++++++++++
 .../Zend/Tag/Cloud/Decorator/AbstractTag.php  |  52 +----
 .../Zend/Tag/Cloud/Decorator/HtmlCloud.php    | 118 +----------
 library/Zend/Tag/Cloud/Decorator/HtmlTag.php  | 119 +----------
 5 files changed, 195 insertions(+), 336 deletions(-)
 create mode 100644 library/Zend/Tag/Cloud/Decorator/AbstractDecorator.php

diff --git a/library/Zend/Tag/Cloud/Decorator/AbstractCloud.php b/library/Zend/Tag/Cloud/Decorator/AbstractCloud.php
index 956d2f07686..3c02ca1ad1a 100644
--- a/library/Zend/Tag/Cloud/Decorator/AbstractCloud.php
+++ b/library/Zend/Tag/Cloud/Decorator/AbstractCloud.php
@@ -10,62 +10,12 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
-use Traversable;
-use Zend\Stdlib\ArrayUtils;
-use Zend\Tag\Cloud\Decorator\DecoratorInterface as Decorator;
-
 /**
  * Abstract class for cloud decorators
  *
  * @category  Zend
  * @package   Zend_Tag
  */
-abstract class AbstractCloud implements Decorator
+abstract class AbstractCloud extends AbstractDecorator
 {
-    /**
-     * Option keys to skip when calling setOptions()
-     *
-     * @var array
-     */
-    protected $skipOptions = array(
-        'options',
-        'config',
-    );
-
-    /**
-     * Create a new cloud decorator with options
-     *
-     * @param  array|Traversable $options
-     */
-    public function __construct($options = null)
-    {
-        if ($options instanceof Traversable) {
-            $options = ArrayUtils::iteratorToArray($options);
-        }
-        if (is_array($options)) {
-            $this->setOptions($options);
-        }
-    }
-
-    /**
-     * Set options from array
-     *
-     * @param  array $options Configuration for the decorator
-     * @return AbstractCloud
-     */
-    public function setOptions(array $options)
-    {
-        foreach ($options as $key => $value) {
-            if (in_array(strtolower($key), $this->skipOptions)) {
-                continue;
-            }
-
-            $method = 'set' . $key;
-            if (method_exists($this, $method)) {
-                $this->$method($value);
-            }
-        }
-
-        return $this;
-    }
 }
diff --git a/library/Zend/Tag/Cloud/Decorator/AbstractDecorator.php b/library/Zend/Tag/Cloud/Decorator/AbstractDecorator.php
new file mode 100644
index 00000000000..4d6c9541268
--- /dev/null
+++ b/library/Zend/Tag/Cloud/Decorator/AbstractDecorator.php
@@ -0,0 +1,190 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @package   Zend_Tag
+ */
+
+namespace Zend\Tag\Cloud\Decorator;
+
+use Traversable;
+use Zend\Escaper\Escaper;
+use Zend\Stdlib\ArrayUtils;
+use Zend\Tag\Cloud\Decorator\DecoratorInterface as Decorator;
+use Zend\Tag\Exception;
+
+/**
+ * Abstract class for decorators
+ *
+ * @category  Zend
+ * @package   Zend_Tag
+ */
+abstract class AbstractDecorator implements Decorator
+{
+    /**
+     * @var string Encoding to use
+     */
+    protected $encoding = 'UTF-8';
+
+    /**
+     * @var Escaper
+     */
+    protected $escaper;
+
+    /**
+     * Option keys to skip when calling setOptions()
+     *
+     * @var array
+     */
+    protected $skipOptions = array(
+        'options',
+        'config',
+    );
+
+    /**
+     * Create a new decorator with options
+     *
+     * @param  array|Traversable $options
+     */
+    public function __construct($options = null)
+    {
+        if ($options instanceof Traversable) {
+            $options = ArrayUtils::iteratorToArray($options);
+        }
+        if (is_array($options)) {
+            $this->setOptions($options);
+        }
+    }
+
+    /**
+     * Set options from array
+     *
+     * @param  array $options Configuration for the decorator
+     * @return AbstractTag
+     */
+    public function setOptions(array $options)
+    {
+        foreach ($options as $key => $value) {
+            if (in_array(strtolower($key), $this->skipOptions)) {
+                continue;
+            }
+
+            $method = 'set' . $key;
+            if (method_exists($this, $method)) {
+                $this->$method($value);
+            }
+        }
+
+        return $this;
+    }
+
+    /**
+     * Get encoding
+     *
+     * @return string
+     */
+    public function getEncoding()
+    {
+        return $this->encoding;
+    }
+
+    /**
+     * Set encoding
+     *
+     * @param string
+     * @return HTMLCloud
+     */
+    public function setEncoding($value)
+    {
+        $this->encoding = (string) $value;
+        return $this;
+    }
+
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return HtmlCloud
+     */
+    public function setEscaper($escaper)
+    {
+        $this->escaper = $escaper;
+        return $this;
+    }
+    
+    /**
+     * Retrieve Escaper instance
+     *
+     * If none registered, instantiates and registers one using current encoding.
+     *
+     * @return Escaper
+     */
+    public function getEscaper()
+    {
+        if (null === $this->escaper) {
+            $this->setEscaper(new Escaper($this->getEncoding()));
+        }
+        return $this->escaper;
+    }
+
+    /**
+     * Validate an HTML element name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidElementNameException
+     */
+    protected function validateElementName($name)
+    {
+        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
+            throw new Exception\InvalidElementNameException(sprintf(
+                '%s: Invalid element name "%s" provided; please provide valid HTML element names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
+
+    /**
+     * Validate an HTML attribute name
+     * 
+     * @param  string $name 
+     * @throws Exception\InvalidAttributeNameException
+     */
+    protected function validateAttributeName($name)
+    {
+        if (!preg_match('/^[a-z_:][-a-z0-9_:.]*$/i', $name)) {
+            throw new Exception\InvalidAttributeNameException(sprintf(
+                '%s: Invalid HTML attribute name "%s" provided; please provide valid HTML attribute names',
+                __METHOD__,
+                $this->getEscaper()->escapeHtml($name)
+            ));
+        }
+    }
+
+    protected function wrapTag($html)
+    {
+        $escaper = $this->getEscaper();
+        foreach ($this->getHTMLTags() as $key => $data) {
+            if (is_array($data)) {
+                $attributes = '';
+                $htmlTag    = $key;
+                $this->validateElementName($htmlTag);
+
+                foreach ($data as $param => $value) {
+                    $this->validateAttributeName($param);
+                    $attributes .= ' ' . $param . '="' . $escaper->escapeHtmlAttr($value) . '"';
+                }
+            } else {
+                $attributes = '';
+                $htmlTag    = $data;
+                $this->validateElementName($htmlTag);
+            }
+
+            $html = sprintf('<%1$s%3$s>%2$s</%1$s>', $htmlTag, $html, $attributes);
+        }
+        return $html;
+    }
+}
diff --git a/library/Zend/Tag/Cloud/Decorator/AbstractTag.php b/library/Zend/Tag/Cloud/Decorator/AbstractTag.php
index ffd410b0e09..1db779289c0 100644
--- a/library/Zend/Tag/Cloud/Decorator/AbstractTag.php
+++ b/library/Zend/Tag/Cloud/Decorator/AbstractTag.php
@@ -10,62 +10,12 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
-use Traversable;
-use Zend\Stdlib\ArrayUtils;
-use Zend\Tag\Cloud\Decorator\DecoratorInterface as Decorator;
-
 /**
  * Abstract class for tag decorators
  *
  * @category  Zend
  * @package   Zend_Tag
  */
-abstract class AbstractTag implements Decorator
+abstract class AbstractTag extends AbstractDecorator
 {
-    /**
-     * Option keys to skip when calling setOptions()
-     *
-     * @var array
-     */
-    protected $skipOptions = array(
-        'options',
-        'config',
-    );
-
-    /**
-     * Create a new cloud decorator with options
-     *
-     * @param  array|Traversable $options
-     */
-    public function __construct($options = null)
-    {
-        if ($options instanceof Traversable) {
-            $options = ArrayUtils::iteratorToArray($options);
-        }
-        if (is_array($options)) {
-            $this->setOptions($options);
-        }
-    }
-
-    /**
-     * Set options from array
-     *
-     * @param  array $options Configuration for the decorator
-     * @return AbstractTag
-     */
-    public function setOptions(array $options)
-    {
-        foreach ($options as $key => $value) {
-            if (in_array(strtolower($key), $this->skipOptions)) {
-                continue;
-            }
-
-            $method = 'set' . $key;
-            if (method_exists($this, $method)) {
-                $this->$method($value);
-            }
-        }
-
-        return $this;
-    }
 }
diff --git a/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php b/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
index 6f017519668..f352033dee9 100644
--- a/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
+++ b/library/Zend/Tag/Cloud/Decorator/HtmlCloud.php
@@ -10,9 +10,6 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
-use Zend\Escaper\Escaper;
-use Zend\Tag\Exception;
-
 /**
  * Simple HTML decorator for clouds
  *
@@ -21,16 +18,6 @@
  */
 class HtmlCloud extends AbstractCloud
 {
-    /**
-     * @var string Encoding to use
-     */
-    protected $encoding = 'UTF-8';
-
-    /**
-     * @var Escaper
-     */
-    protected $escaper;
-
     /**
      * List of HTML tags
      *
@@ -47,55 +34,6 @@ class HtmlCloud extends AbstractCloud
      */
     protected $separator = ' ';
 
-    /**
-     * Get encoding
-     *
-     * @return string
-     */
-    public function getEncoding()
-    {
-        return $this->encoding;
-    }
-
-    /**
-     * Set encoding
-     *
-     * @param string
-     * @return HTMLCloud
-     */
-    public function setEncoding($value)
-    {
-        $this->encoding = (string) $value;
-        return $this;
-    }
-
-    /**
-     * Set Escaper instance
-     *
-     * @param  Escaper $escaper
-     * @return HtmlCloud
-     */
-    public function setEscaper($escaper)
-    {
-        $this->escaper = $escaper;
-        return $this;
-    }
-    
-    /**
-     * Retrieve Escaper instance
-     *
-     * If none registered, instantiates and registers one using current encoding.
-     *
-     * @return Escaper
-     */
-    public function getEscaper()
-    {
-        if (null === $this->escaper) {
-            $this->setEscaper(new Escaper($this->getEncoding()));
-        }
-        return $this->escaper;
-    }
-
     /**
      * Set the HTML tags surrounding all tags
      *
@@ -156,61 +94,7 @@ public function render($tags)
             ));
         }
         $cloudHTML = implode($this->getSeparator(), $tags);
-
-        $escaper = $this->getEscaper();
-        foreach ($this->getHTMLTags() as $key => $data) {
-            if (is_array($data)) {
-                $htmlTag    = $key;
-                $this->validateElementName($htmlTag);
-                $attributes = '';
-
-                foreach ($data as $param => $value) {
-                    $this->validateAttributeName($param);
-                    $attributes .= ' ' . $param . '="' . $escaper->escapeHtmlAttr($value) . '"';
-                }
-            } else {
-                $htmlTag    = $data;
-                $this->validateElementName($htmlTag);
-                $attributes = '';
-            }
-
-            $cloudHTML = sprintf('<%1$s%3$s>%2$s</%1$s>', $htmlTag, $cloudHTML, $attributes);
-        }
-
+        $cloudHTML = $this->wrapTag($cloudHTML);
         return $cloudHTML;
     }
-
-    /**
-     * Validate an HTML element name
-     * 
-     * @param  string $name 
-     * @throws Exception\InvalidElementNameException
-     */
-    protected function validateElementName($name)
-    {
-        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
-            throw new Exception\InvalidElementNameException(sprintf(
-                '%s: Invalid element name "%s" provided; please provide valid HTML element names',
-                __METHOD__,
-                $this->getEscaper()->escapeHtml($name)
-            ));
-        }
-    }
-
-    /**
-     * Validate an HTML attribute name
-     * 
-     * @param  string $name 
-     * @throws Exception\InvalidAttributeNameException
-     */
-    protected function validateAttributeName($name)
-    {
-        if (!preg_match('/^[a-z_:][-a-z0-9_:.]*$/i', $name)) {
-            throw new Exception\InvalidAttributeNameException(sprintf(
-                '%s: Invalid HTML attribute name "%s" provided; please provide valid HTML attribute names',
-                __METHOD__,
-                $this->getEscaper()->escapeHtml($name)
-            ));
-        }
-    }
 }
diff --git a/library/Zend/Tag/Cloud/Decorator/HtmlTag.php b/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
index 8f66f0e0775..70327af0c95 100644
--- a/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
+++ b/library/Zend/Tag/Cloud/Decorator/HtmlTag.php
@@ -10,9 +10,7 @@
 
 namespace Zend\Tag\Cloud\Decorator;
 
-use Zend\Escaper\Escaper;
 use Zend\Tag\Cloud\Decorator\Exception\InvalidArgumentException;
-use Zend\Tag\Exception;
 use Zend\Tag\ItemList;
 
 /**
@@ -31,16 +29,6 @@ class HtmlTag extends AbstractTag
      */
     protected $classList = null;
 
-    /**
-     * @var string Encoding to utilize
-     */
-    protected $encoding = 'UTF-8';
-
-    /**
-     * @var Escaper
-     */
-    protected $escaper;
-
     /**
      * Unit for the fontsize
      *
@@ -114,55 +102,6 @@ public function getClassList()
         return $this->classList;
     }
 
-    /**
-     * Get encoding
-     *
-     * @return string
-     */
-    public function getEncoding()
-    {
-         return $this->encoding;
-    }
-
-    /**
-     * Set encoding
-     *
-     * @param  string $value
-     * @return HTMLTag
-     */
-    public function setEncoding($value)
-    {
-        $this->encoding = (string) $value;
-        return $this;
-    }
-
-    /**
-     * Set Escaper instance
-     *
-     * @param  Escaper $escaper
-     * @return HtmlTag
-     */
-    public function setEscaper($escaper)
-    {
-        $this->escaper = $escaper;
-        return $this;
-    }
-    
-    /**
-     * Retrieve Escaper instance
-     *
-     * If none registered, instantiates and registers one using current encoding.
-     *
-     * @return Escaper
-     */
-    public function getEscaper()
-    {
-        if (null === $this->escaper) {
-            $this->setEscaper(new Escaper($this->getEncoding()));
-        }
-        return $this->escaper;
-    }
-
     /**
      * Set the font size unit
      *
@@ -293,7 +232,6 @@ public function render($tags)
 
         $result = array();
 
-        $enc = $this->getEncoding();
         $escaper = $this->getEscaper();
         foreach ($tags as $tag) {
             if (null === ($classList = $this->getClassList())) {
@@ -302,64 +240,11 @@ public function render($tags)
                 $attribute = sprintf('class="%s"', $escaper->escapeHtmlAttr($tag->getParam('weightValue')));
             }
 
-            $tagHTML = sprintf('<a href="%s" %s>%s</a>', $escaper->escapeHtml($tag->getParam('url')), $attribute, $escaper->escapeHtml($tag->getTitle()));
-
-            foreach ($this->getHTMLTags() as $key => $data) {
-                if (is_array($data)) {
-                    $attributes = '';
-                    $htmlTag    = $key;
-                    $this->validateElementName($htmlTag);
-
-                    foreach ($data as $param => $value) {
-                        $this->validateAttributeName($param);
-                        $attributes .= ' ' . $param . '="' . $escaper->escapeHtmlAttr($value) . '"';
-                    }
-                } else {
-                    $attributes = '';
-                    $htmlTag    = $data;
-                    $this->validateElementName($htmlTag);
-                }
-
-                $tagHTML = sprintf('<%1$s%3$s>%2$s</%1$s>', $htmlTag, $tagHTML, $attributes);
-            }
-
+            $tagHTML  = sprintf('<a href="%s" %s>%s</a>', $escaper->escapeHtml($tag->getParam('url')), $attribute, $escaper->escapeHtml($tag->getTitle()));
+            $tagHTML  = $this->wrapTag($tagHTML);
             $result[] = $tagHTML;
         }
 
         return $result;
     }
-
-    /**
-     * Validate an HTML element name
-     * 
-     * @param  string $name 
-     * @throws Exception\InvalidElementNameException
-     */
-    protected function validateElementName($name)
-    {
-        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
-            throw new Exception\InvalidElementNameException(sprintf(
-                '%s: Invalid element name "%s" provided; please provide valid HTML element names',
-                __METHOD__,
-                $this->getEscaper()->escapeHtml($name)
-            ));
-        }
-    }
-
-    /**
-     * Validate an HTML attribute name
-     * 
-     * @param  string $name 
-     * @throws Exception\InvalidAttributeNameException
-     */
-    protected function validateAttributeName($name)
-    {
-        if (!preg_match('/^[a-z_:][-a-z0-9_:.]*$/i', $name)) {
-            throw new Exception\InvalidAttributeNameException(sprintf(
-                '%s: Invalid HTML attribute name "%s" provided; please provide valid HTML attribute names',
-                __METHOD__,
-                $this->getEscaper()->escapeHtml($name)
-            ));
-        }
-    }
 }

From a36406ddea52fd294b291310be00c526df6b713a Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 15:35:28 -0500
Subject: [PATCH 4/9] Refactored HeadStyle helper to use Escaper

- Refactored AbstractStandalone placeholder to maintain registry of
  escaper instances by encoding type
- HeadStyle pulls escaper by discovered encoding, and uses it to escape
  attributes
---
 library/Zend/View/Helper/HeadStyle.php        |  3 +-
 .../Container/AbstractStandalone.php          | 51 +++++++++++++++----
 2 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/library/Zend/View/Helper/HeadStyle.php b/library/Zend/View/Helper/HeadStyle.php
index 5a400b76e87..369dd99fc7a 100644
--- a/library/Zend/View/Helper/HeadStyle.php
+++ b/library/Zend/View/Helper/HeadStyle.php
@@ -311,6 +311,7 @@ public function itemToString(stdClass $item, $indent)
             ) {
                 $enc = $this->view->getEncoding();
             }
+            $escaper = $this->getEscaper($enc);
             foreach ($item->attributes as $key => $value) {
                 if (!in_array($key, $this->optionalAttributes)) {
                     continue;
@@ -333,7 +334,7 @@ public function itemToString(stdClass $item, $indent)
                         $value = substr($value, 0, -1);
                     }
                 }
-                $attrString .= sprintf(' %s="%s"', $key, htmlspecialchars($value, ENT_COMPAT, $enc));
+                $attrString .= sprintf(' %s="%s"', $key, $escaper->escapeHtmlAttr($value));
             }
         }
 
diff --git a/library/Zend/View/Helper/Placeholder/Container/AbstractStandalone.php b/library/Zend/View/Helper/Placeholder/Container/AbstractStandalone.php
index 8017f516113..61ba616f2a2 100644
--- a/library/Zend/View/Helper/Placeholder/Container/AbstractStandalone.php
+++ b/library/Zend/View/Helper/Placeholder/Container/AbstractStandalone.php
@@ -10,8 +10,10 @@
 
 namespace Zend\View\Helper\Placeholder\Container;
 
+use Zend\Escaper\Escaper;
 use Zend\View\Exception;
 use Zend\View\Helper\Placeholder\Registry;
+use Zend\View\Renderer\RendererInterface;
 
 /**
  * Base class for targeted placeholder helpers
@@ -28,6 +30,11 @@ abstract class AbstractStandalone
      */
     protected $container;
 
+    /**
+     * @var Escaper[]
+     */
+    protected $escapers = array();
+
     /**
      * @var \Zend\View\Helper\Placeholder\Registry
      */
@@ -78,6 +85,35 @@ public function setRegistry(Registry $registry)
         return $this;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return AbstractStandalone
+     */
+    public function setEscaper(Escaper $escaper)
+    {
+        $encoding = $escaper->getEncoding();
+        $this->escapers[$encoding] = $escaper;
+        return $this;
+    }
+    
+    /**
+     * Get Escaper instance
+     *
+     * Lazy-loads one if none available
+     *
+     * @return mixed
+     */
+    public function getEscaper($enc = 'UTF-8')
+    {
+        $enc = strtolower($enc);
+        if (!isset($this->escapers[$enc])) {
+            $this->setEscaper(new Escaper($enc));
+        }
+        return $this->escapers[$enc];
+    }
+
     /**
      * Set whether or not auto escaping should be used
      *
@@ -108,23 +144,16 @@ public function getAutoEscape()
      */
     protected function escape($string)
     {
-        $enc = 'UTF-8';
-        if ($this->view instanceof \Zend\View\Renderer\RendererInterface
+        if ($this->view instanceof RendererInterface
             && method_exists($this->view, 'getEncoding')
         ) {
-            $enc = $this->view->getEncoding();
+            $enc     = $this->view->getEncoding();
             $escaper = $this->view->plugin('escapeHtml');
             return $escaper((string) $string);
         }
-        /**
-         * bump this out to a protected method to kill the instance penalty!
-         */
-        $escaper = new \Zend\Escaper\Escaper($enc);
+
+        $escaper = $this->getEscaper();
         return $escaper->escapeHtml((string) $string);
-        /**
-         * Replaced to ensure consistent escaping
-         */
-        //return htmlspecialchars((string) $string, ENT_COMPAT, $enc);
     }
 
     /**

From 2f06df6ba2517b71e1a992f2d3c0bcb507789110 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 15:38:42 -0500
Subject: [PATCH 5/9] Refactored Sitemap helper to use Escaper

- refactored xmlEscape() to use escapeHtml helper instead of
  htmlspecialchars()
---
 library/Zend/View/Helper/Navigation/Sitemap.php | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/library/Zend/View/Helper/Navigation/Sitemap.php b/library/Zend/View/Helper/Navigation/Sitemap.php
index 37da30f51f5..f55d4d5ccad 100644
--- a/library/Zend/View/Helper/Navigation/Sitemap.php
+++ b/library/Zend/View/Helper/Navigation/Sitemap.php
@@ -242,14 +242,8 @@ public function getServerUrl()
      */
     protected function xmlEscape($string)
     {
-        $enc = 'UTF-8';
-        if ($this->view instanceof View\Renderer\RendererInterface
-            && method_exists($this->view, 'getEncoding')
-        ) {
-            $enc = $this->view->getEncoding();
-        }
-
-        return htmlspecialchars($string, ENT_QUOTES, $enc, false);
+        $escaper = $this->view->plugin('escapeHtml');
+        return $escaper($string);
     }
 
     // Public methods:

From 6791343f8c8cd1948315a87eb15e16b57e08bc71 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 15:43:09 -0500
Subject: [PATCH 6/9] Refactored XML log formatter to use Escaper

- instead of htmlspecialchars
- added "suggested" requirement of Escaper to composer.json
---
 library/Zend/Log/Formatter/Xml.php | 42 +++++++++++++++++++++++++++---
 library/Zend/Log/composer.json     |  1 +
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/library/Zend/Log/Formatter/Xml.php b/library/Zend/Log/Formatter/Xml.php
index 64bb6da200a..cbde6074c20 100644
--- a/library/Zend/Log/Formatter/Xml.php
+++ b/library/Zend/Log/Formatter/Xml.php
@@ -14,6 +14,7 @@
 use DOMDocument;
 use DOMElement;
 use Traversable;
+use Zend\Escaper\Escaper;
 use Zend\Stdlib\ArrayUtils;
 
 /**
@@ -38,6 +39,11 @@ class Xml implements FormatterInterface
      */
     protected $encoding;
 
+    /**
+     * @var Escaper instance
+     */
+    protected $escaper;
+
     /**
      * Format specifier for DateTime objects in event data (default: ISO 8601)
      *
@@ -121,6 +127,33 @@ public function setEncoding($value)
         return $this;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     * @return Xml
+     */
+    public function setEscaper(Escaper $escaper)
+    {
+        $this->escaper = $escaper;
+        return $this;
+    }
+    
+    /**
+     * Get Escaper instance
+     *
+     * Lazy-loads an instance with the current encoding if none registered.
+     *
+     * @return Escaper
+     */
+    public function getEscaper()
+    {
+        if (null === $this->escaper) {
+            $this->setEscaper(new Escaper($this->getEncoding()));
+        }
+        return $this->escaper;
+    }
+
     /**
      * Formats data into a single line to be written by the writer.
      *
@@ -142,9 +175,10 @@ public function format($event)
             }
         }
 
-        $enc = $this->getEncoding();
-        $dom = new DOMDocument('1.0', $enc);
-        $elt = $dom->appendChild(new DOMElement($this->rootElement));
+        $enc     = $this->getEncoding();
+        $escaper = $this->getEscaper();
+        $dom     = new DOMDocument('1.0', $enc);
+        $elt     = $dom->appendChild(new DOMElement($this->rootElement));
 
         foreach ($dataToInsert as $key => $value) {
             if (empty($value)
@@ -152,7 +186,7 @@ public function format($event)
                 || (is_object($value) && method_exists($value,'__toString'))
             ) {
                 if ($key == "message") {
-                    $value = htmlspecialchars($value, ENT_COMPAT, $enc);
+                    $value = $escaper->escapeHtml($value);
                 } elseif ($key == "extra" && empty($value)) {
                     continue;
                 }
diff --git a/library/Zend/Log/composer.json b/library/Zend/Log/composer.json
index 34c1fabc674..004d24beaf3 100644
--- a/library/Zend/Log/composer.json
+++ b/library/Zend/Log/composer.json
@@ -20,6 +20,7 @@
     "suggest": {
         "ext-mongo": "*",
         "zendframework/zend-db": "Zend\\Db component",
+        "zendframework/zend-escaper": "Zend\\Escaper component, for use in the XML formatter",
         "zendframework/zend-mail": "Zend\\Mail component",
         "zendframework/zend-validator": "Zend\\Validator component"
     }

From ad3628bc2c05c297af4492330885d49f373e1e91 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 15:48:43 -0500
Subject: [PATCH 7/9] Refactored Debug to use Escaper

- instead of htmlspecialchars
- added zend-escaper dependency to component
- added static setter/getter for Escaper
---
 library/Zend/Debug/Debug.php     | 33 +++++++++++++++++++++++++++++++-
 library/Zend/Debug/composer.json |  8 ++++++--
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/library/Zend/Debug/Debug.php b/library/Zend/Debug/Debug.php
index dd1472fba9f..fefae2b400e 100644
--- a/library/Zend/Debug/Debug.php
+++ b/library/Zend/Debug/Debug.php
@@ -10,6 +10,8 @@
 
 namespace Zend\Debug;
 
+use Zend\Escaper\Escaper;
+
 /**
  * Concrete class for generating debug dumps related to the output source.
  *
@@ -18,6 +20,10 @@
  */
 class Debug
 {
+    /**
+     * @var Escaper
+     */
+    protected static $escaper = null;
 
     /**
      * @var string
@@ -50,6 +56,31 @@ public static function setSapi($sapi)
         self::$sapi = $sapi;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     */
+    public static function setEscaper(Escaper $escaper)
+    {
+        static::$escaper = $escaper;
+    }
+    
+    /**
+     * Get Escaper instance
+     *
+     * Lazy loads an instance if none provided.
+     *
+     * @return Escaper
+     */
+    public static function getEscaper()
+    {
+        if (null === static::$escaper) {
+            static::setEscaper(new Escaper());
+        }
+        return static::$escaper;
+    }
+
     /**
      * Debug helper function.  This is a wrapper for var_dump() that adds
      * the <pre /> tags, cleans up newlines and indents, and runs
@@ -78,7 +109,7 @@ public static function dump($var, $label=null, $echo=true)
                     . PHP_EOL;
         } else {
             if (!extension_loaded('xdebug')) {
-                $output = htmlspecialchars($output, ENT_QUOTES);
+                $output = static::getEscaper()->escapeHtml($output);
             }
 
             $output = '<pre>'
diff --git a/library/Zend/Debug/composer.json b/library/Zend/Debug/composer.json
index 02b34458c47..de9d6bf8ccd 100644
--- a/library/Zend/Debug/composer.json
+++ b/library/Zend/Debug/composer.json
@@ -13,6 +13,10 @@
     },
     "target-dir": "Zend/Debug",
     "require": {
-        "php": ">=5.3.3"
+        "php": ">=5.3.3",
+        "zendframework/zend-escaper": "self.version"
+    },
+    "suggest": {
+        "ext/xdebug": "XDebug, for better backtrace output"
     }
-}
\ No newline at end of file
+}

From 7f48d9edf82bcd7ece9d189d836682be83d08e91 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 16:02:15 -0500
Subject: [PATCH 8/9] Updated Uri to use Escaper

- instead of rawurlencode()
- statically composes Escaper instance, and uses it in
  preg_replace_callback calls
- Added zend-escaper to composer.json
---
 library/Zend/Uri/Uri.php       | 46 +++++++++++++++++++++++++++++-----
 library/Zend/Uri/composer.json |  3 ++-
 2 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/library/Zend/Uri/Uri.php b/library/Zend/Uri/Uri.php
index 6e700c8fc2a..4dfa5224f5e 100644
--- a/library/Zend/Uri/Uri.php
+++ b/library/Zend/Uri/Uri.php
@@ -10,6 +10,7 @@
 
 namespace Zend\Uri;
 
+use Zend\Escaper\Escaper;
 use Zend\Validator;
 
 /**
@@ -125,6 +126,11 @@ class Uri implements UriInterface
      */
     protected static $defaultPorts = array();
 
+    /**
+     * @var Escaper
+     */
+    protected static $escaper;
+
     /**
      * Create a new URI object
      *
@@ -152,6 +158,31 @@ public function __construct($uri = null)
         }
     }
 
+    /**
+     * Set Escaper instance
+     * 
+     * @param  Escaper $escaper 
+     */
+    public static function setEscaper(Escaper $escaper)
+    {
+        static::$escaper = $escaper;
+    }
+
+    /**
+     * Retrieve Escaper instance
+     *
+     * Lazy-loads one if none provided
+     * 
+     * @return Escaper
+     */
+    public static function getEscaper()
+    {
+        if (null === static::$escaper) {
+            static::setEscaper(new Escaper());
+        }
+        return static::$escaper;
+    }
+
     /**
      * Check if the URI is valid
      *
@@ -935,8 +966,9 @@ public static function encodeUserInfo($userInfo)
         }
 
         $regex   = '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:]|%(?![A-Fa-f0-9]{2}))/';
-        $replace = function($match) {
-            return rawurlencode($match[0]);
+        $escaper = static::getEscaper();
+        $replace = function ($match) use ($escaper) {
+            return $escaper->escapeUrl($match[0]);
         };
 
         return preg_replace_callback($regex, $replace, $userInfo);
@@ -962,8 +994,9 @@ public static function encodePath($path)
         }
 
         $regex   = '/(?:[^' . self::CHAR_UNRESERVED . ':@&=\+\$,\/;%]+|%(?![A-Fa-f0-9]{2}))/';
-        $replace = function($match) {
-            return rawurlencode($match[0]);
+        $escaper = static::getEscaper();
+        $replace = function ($match) use ($escaper) {
+            return $escaper->escapeUrl($match[0]);
         };
 
         return preg_replace_callback($regex, $replace, $path);
@@ -990,8 +1023,9 @@ public static function encodeQueryFragment($input)
         }
 
         $regex   = '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:@\/\?]+|%(?![A-Fa-f0-9]{2}))/';
-        $replace = function($match) {
-            return rawurlencode($match[0]);
+        $escaper = static::getEscaper();
+        $replace = function ($match) use ($escaper) {
+            return $escaper->escapeUrl($match[0]);
         };
 
         return preg_replace_callback($regex, $replace, $input);
diff --git a/library/Zend/Uri/composer.json b/library/Zend/Uri/composer.json
index 52fd0a34967..ae5e2cbcf3c 100644
--- a/library/Zend/Uri/composer.json
+++ b/library/Zend/Uri/composer.json
@@ -14,6 +14,7 @@
     "target-dir": "Zend/Uri",
     "require": {
         "php": ">=5.3.3",
+        "zendframework/zend-escaper": "self.version",
         "zendframework/zend-validator": "self.version"
     }
-}
\ No newline at end of file
+}

From 07d847b705911da6a15257f64895f69cab7ad50c Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Mon, 17 Sep 2012 16:10:25 -0500
Subject: [PATCH 9/9] Refactored PubSubHubbub to use Escaper

- instead of rawurlencode()
- added static accessors for Escaper instance
- added zend-escaper to composer.json for Zend\Feed
---
 .../Zend/Feed/PubSubHubbub/PubSubHubbub.php   | 48 ++++++++++++++++---
 library/Zend/Feed/composer.json               |  1 +
 2 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/library/Zend/Feed/PubSubHubbub/PubSubHubbub.php b/library/Zend/Feed/PubSubHubbub/PubSubHubbub.php
index 114f563b805..3e4b8ba3e8e 100644
--- a/library/Zend/Feed/PubSubHubbub/PubSubHubbub.php
+++ b/library/Zend/Feed/PubSubHubbub/PubSubHubbub.php
@@ -10,6 +10,7 @@
 
 namespace Zend\Feed\PubSubHubbub;
 
+use Zend\Escaper\Escaper;
 use Zend\Feed\Reader;
 use Zend\Http;
 
@@ -32,10 +33,15 @@ class PubSubHubbub
     const SUBSCRIPTION_NOTVERIFIED = 'not_verified';
     const SUBSCRIPTION_TODELETE    = 'to_delete';
 
+    /**
+     * @var Escaper
+     */
+    protected static $escaper;
+
     /**
      * Singleton instance if required of the HTTP client
      *
-     * @var \Zend\Http\Client
+     * @var Http\Client
      */
     protected static $httpClient = null;
 
@@ -67,7 +73,7 @@ public static function detectHubs($source)
      * Allows the external environment to make Zend_Oauth use a specific
      * Client instance.
      *
-     * @param  \Zend\Http\Client $httpClient
+     * @param  Http\Client $httpClient
      * @return void
      */
     public static function setHttpClient(Http\Client $httpClient)
@@ -80,15 +86,15 @@ public static function setHttpClient(Http\Client $httpClient)
      * the instance is reset and cleared of previous parameters GET/POST.
      * Headers are NOT reset but handled by this component if applicable.
      *
-     * @return \Zend\Http\Client
+     * @return Http\Client
      */
     public static function getHttpClient()
     {
-        if (!isset(self::$httpClient)):
+        if (!isset(self::$httpClient)) {
             self::$httpClient = new Http\Client;
-        else:
+        } else {
             self::$httpClient->resetParameters();
-        endif;
+        }
         return self::$httpClient;
     }
 
@@ -103,6 +109,33 @@ public static function clearHttpClient()
         self::$httpClient = null;
     }
 
+    /**
+     * Set the Escaper instance
+     *
+     * If null, resets the instance
+     * 
+     * @param  null|Escaper $escaper 
+     */
+    public static function setEscaper(Escaper $escaper = null)
+    {
+        static::$escaper = $escaper;
+    }
+
+    /**
+     * Get the Escaper instance
+     *
+     * If none registered, lazy-loads an instance.
+     * 
+     * @return Escaper
+     */
+    public static function getEscaper()
+    {
+        if (null === static::$escaper) {
+            static::setEscaper(new Escaper());
+        }
+        return static::$escaper;
+    }
+
     /**
      * RFC 3986 safe url encoding method
      *
@@ -111,7 +144,8 @@ public static function clearHttpClient()
      */
     public static function urlencode($string)
     {
-        $rawencoded = rawurlencode($string);
+        $escaper    = static::getEscaper();
+        $rawencoded = $escaper->escapeUrl($string);
         $rfcencoded = str_replace('%7E', '~', $rawencoded);
         return $rfcencoded;
     }
diff --git a/library/Zend/Feed/composer.json b/library/Zend/Feed/composer.json
index 61e61a53bf3..d98958ee8e9 100644
--- a/library/Zend/Feed/composer.json
+++ b/library/Zend/Feed/composer.json
@@ -14,6 +14,7 @@
     "target-dir": "Zend/Feed",
     "require": {
         "php": ">=5.3.3",
+        "zendframework/zend-escaper": "self.version",
         "zendframework/zend-stdlib": "self.version"
     },
     "suggest": {