1 <?xml version="1.0" encoding="UTF-8"?>
3 <sect1 id="migration.19">
4 <title>Zend Framework 1.9</title>
7 When upgrading from a release of Zend Framework earlier than 1.9.0 to any 1.9 release, you
8 should note the following migration notes.
11 <sect2 id="migration.19.zend.file.transfer">
12 <title>Zend_File_Transfer</title>
14 <sect3 id="migration.19.zend.file.transfer.mimetype">
15 <title>MimeType validation</title>
18 For security reasons we had to turn off the default fallback mechanism of the
19 <classname>MimeType</classname>, <classname>ExcludeMimeType</classname>,
20 <classname>IsCompressed</classname> and <classname>IsImage</classname> validators.
21 This means, that if the <emphasis>fileInfo</emphasis> or
22 <emphasis>magicMime</emphasis> extensions can not be found, the validation will
27 If you are in need of validation by using the <acronym>HTTP</acronym> fields which
28 are provided by the user then you can turn on this feature by using the
29 <methodname>enableHeaderCheck()</methodname> method.
33 <title>Security hint</title>
36 You should note that relying on the <acronym>HTTP</acronym> fields, which are
37 provided by your user, is a security risk. They can easily be changed and could
38 allow your user to provide a malcious file.
42 <example id="migration.19.zend.file.transfer.example">
43 <title>Allow the usage of the HTTP fields</title>
45 <programlisting language="php"><![CDATA[
47 $valid = new Zend_File_Transfer_Adapter_Http(array('headerCheck' => true);
50 $valid->enableHeaderCheck();
56 <sect2 id="migration.19.zend.filter">
57 <title>Zend_Filter</title>
60 Prior to the 1.9 release, <classname>Zend_Filter</classname> allowed
61 the usage of the static <methodname>get()</methodname> method. As with
62 release 1.9 this method has been renamed to
63 <methodname>filterStatic()</methodname> to be more descriptive. The
64 old <methodname>get()</methodname> method is marked as deprecated.
68 <sect2 id="migration.19.zend.http.client">
69 <title>Zend_Http_Client</title>
71 <sect3 id="migration.19.zend.http.client.fileuploadsarray">
72 <title>Changes to internal uploaded file information storage</title>
75 In version 1.9 of Zend Framework, there has been a change in the way
76 <classname>Zend_Http_Client</classname> internally stores information about
77 files to be uploaded, set using the
78 <methodname>Zend_Http_Client::setFileUpload()</methodname> method.
82 This change was introduced in order to allow multiple files to be uploaded
83 with the same form name, as an array of files. More information about this issue
84 can be found in <ulink
85 url="http://framework.zend.com/issues/browse/ZF-5744">this bug report</ulink>.
88 <example id="migration.19.zend.http.client.fileuploadsarray.example">
89 <title>Internal storage of uploaded file information</title>
91 <programlisting language="php"><![CDATA[
92 // Upload two files with the same form element name, as an array
93 $client = new Zend_Http_Client();
94 $client->setFileUpload('file1.txt',
98 $client->setFileUpload('file2.txt',
101 'application/octet-stream');
103 // In Zend Framework 1.8 or older, the value of
104 // the protected member $client->files is:
105 // $client->files = array(
106 // 'userfile[]' => array('file2.txt',
107 'application/octet-stream',
111 // In Zend Framework 1.9 or newer, the value of $client->files is:
112 // $client->files = array(
114 // 'formname' => 'userfile[]',
115 // 'filename' => 'file1.txt,
116 // 'ctype' => 'text/plain',
117 // 'data' => 'some raw data'
120 // 'formname' => 'userfile[]',
121 // 'filename' => 'file2.txt',
122 // 'formname' => 'application/octet-stream',
123 // 'formname' => 'some other data'
130 As you can see, this change permits the usage of the same form element name with
131 more than one file - however, it introduces a subtle backwards-compatibility change
132 and as such should be noted.
136 <sect3 id="migration.19.zend.http.client.getparamsrecursize">
137 <title>Deprecation of Zend_Http_Client::_getParametersRecursive()</title>
140 Starting from version 1.9, the protected method
141 <methodname>_getParametersRecursive()</methodname> is no longer used by
142 <classname>Zend_Http_Client</classname> and is deprecated. Using it will cause an
143 <constant>E_NOTICE</constant> message to be emitted by <acronym>PHP</acronym>.
147 If you subclass <classname>Zend_Http_Client</classname> and call this method, you
148 should look into using the
149 <methodname>Zend_Http_Client::_flattenParametersArray()</methodname> static method
154 Again, since this <methodname>_getParametersRecursive()</methodname> is a protected
155 method, this change will only affect users who subclass
156 <classname>Zend_Http_Client</classname>.
161 <sect2 id="migration.19.zend.locale">
162 <title>Zend_Locale</title>
164 <sect3 id="migration.19.zend.locale.deprecated">
165 <title>Deprecated methods</title>
168 Some specialized translation methods have been deprecated because they duplicate
169 existing behaviour. Note that the old methods will still work, but a user notice is
170 triggered which describes the new call. The methods will be erased with 2.0.
171 See the following list for old and new method call.
174 <table id="migration.19.zend.locale.deprecated.table-1">
175 <title>List of measurement types</title>
180 <entry>Old call</entry>
181 <entry>New call</entry>
188 <methodname>getLanguageTranslationList($locale)</methodname>
192 <methodname>getTranslationList('language', $locale)</methodname>
198 <methodname>getScriptTranslationList($locale)</methodname>
202 <methodname>getTranslationList('script', $locale)</methodname>
208 <methodname>getCountryTranslationList($locale)</methodname>
212 <methodname>getTranslationList('territory', $locale, 2)</methodname>
218 <methodname>getTerritoryTranslationList($locale)</methodname>
222 <methodname>getTranslationList('territory', $locale, 1)</methodname>
228 <methodname>getLanguageTranslation($value, $locale)</methodname>
232 <methodname>getTranslation($value, 'language', $locale)</methodname>
238 <methodname>getScriptTranslation($value, $locale)</methodname>
242 <methodname>getTranslation($value, 'script', $locale)</methodname>
248 <methodname>getCountryTranslation($value, $locale)</methodname>
252 <methodname>getTranslation($value, 'country', $locale)</methodname>
258 <methodname>getTerritoryTranslation($value, $locale)</methodname>
262 <methodname>getTranslation($value, 'territory',
263 $locale)</methodname>
272 <sect2 id="migration.19.zend.view.helper.navigation">
273 <title>Zend_View_Helper_Navigation</title>
276 Prior to the 1.9 release, the menu helper
277 (<classname>Zend_View_Helper_Navigation_Menu</classname>) did not
278 render sub menus correctly. When <property>onlyActiveBranch</property>
279 was <constant>TRUE</constant> and the option <property>renderParents</property>
280 <constant>FALSE</constant>, nothing would be rendered if the deepest active
281 page was at a depth lower than the <property>minDepth</property> option.
285 In simpler words; if <property>minDepth</property> was set to '1'
286 and the active page was at one of the first level pages, nothing
287 would be rendered, as the following example shows.
291 Consider the following container setup:
294 <programlisting language="php"><![CDATA[
296 $container = new Zend_Navigation(array(
302 'label' => 'Products',
317 'label' => 'Solutions',
324 The following code is used in a view script:
327 <programlisting language="php"><![CDATA[
328 <?php echo $this->navigation()->menu()->renderMenu($container, array(
330 'onlyActiveBranch' => true,
331 'renderParents' => false
336 Before release 1.9, the code snippet above would output nothing.
340 Since release 1.9, the <methodname>_renderDeepestMenu()</methodname> method in
341 <classname>Zend_View_Helper_Navigation_Menu</classname> will accept
342 active pages at one level below <property>minDepth</property>, as long as
343 the page has children.
347 The same code snippet will now output the following:
350 <programlisting language="html"><![CDATA[
351 <ul class="navigation">
353 <a href="#">Server</a>
356 <a href="#">Studio</a>
362 <sect2 id="migration.19.security">
363 <title>Security fixes as with 1.9.7</title>
366 Additionally, users of the 1.9 series may be affected by other changes starting in
367 version 1.9.7. These are all security fixes that also have potential backwards
368 compatibility implications.
371 <sect3 id="migration.19.security.zend.dojo.editor">
372 <title>Zend_Dojo_View_Helper_Editor</title>
375 A slight change was made in the 1.9 series to modify the default usage of the Editor
376 dijit to use <acronym>div</acronym> tags instead of a <acronym>textarea</acronym>
377 tag; the latter usage has <ulink
378 url="http://api.dojotoolkit.org/jsdoc/HEAD/dijit._editor.RichText">security
379 implications</ulink>, and usage of <acronym>div</acronym> tags is recommended by the
384 In order to still allow graceful degradation, a new <varname>degrade</varname>
385 option was added to the view helper; this would allow developers to optionally use a
386 <acronym>textarea</acronym> instead. However, this opens applications developed with
387 that usage to <acronym>XSS</acronym> vectors. In 1.9.7, we have removed this option.
388 Graceful degradation is still supported, however, via a <acronym>noscript</acronym>
389 tag that embeds a <acronym>textarea</acronym>. This solution addressess all security
394 The takeaway is that if you were using the <varname>degrade</varname> flag, it will
395 simply be ignored at this time.
399 <sect3 id="migration.19.security.zend.filter.html-entities">
400 <title>Zend_Filter_HtmlEntities</title>
403 In order to default to a more secure character encoding,
404 <classname>Zend_Filter_HtmlEntities</classname> now defaults to
405 <acronym>UTF-8</acronym> instead of <acronym>ISO-8859-1</acronym>.
409 Additionally, because the actual mechanism is dealing with character encodings and
410 not character sets, two new methods have been added,
411 <methodname>setEncoding()</methodname> and <methodname>getEncoding()</methodname>.
412 The previous methods <methodname>setCharSet()</methodname> and
413 <methodname>setCharSet()</methodname> are now deprecated and proxy to the new
414 methods. Finally, instead of using the protected members directly within the
415 <methodname>filter()</methodname> method, these members are retrieved by their
416 explicit accessors. If you were extending the filter in the past, please check your
417 code and unit tests to ensure everything still continues to work.
421 <sect3 id="migration.19.security.zend.filter.strip-tags">
422 <title>Zend_Filter_StripTags</title>
425 <classname>Zend_Filter_StripTags</classname> contains a flag,
426 <varname>commentsAllowed</varname>, that, in previous versions, allowed you to
427 optionally whitelist <acronym>HTML</acronym> comments in <acronym>HTML</acronym>
428 text filtered by the class. However, this opens code enabling the flag to
429 <acronym>XSS</acronym> attacks, particularly in Internet Explorer (which allows
430 specifying conditional functionality via <acronym>HTML</acronym> comments). Starting
431 in version 1.9.7 (and backported to versions 1.8.5 and 1.7.9), the
432 <varname>commentsAllowed</varname> flag no longer has any meaning, and all
433 <acronym>HTML</acronym> comments, including those containing other
434 <acronym>HTML</acronym> tags or nested commments, will be stripped from the final
435 output of the filter.