Merge branch 'security/escaper-usage'

Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.

composer.json

@@ -13,7 +13,8 @@
         }
     },
     "require": {
-        "php": ">=5.3.3"
+        "php": ">=5.3.3",
+        "zendframework/zend-escaper": "self.version"
     },
     "require-dev": {
         "zendframework/zend-escaper": "2.*",

src/Debug.php

@@ -10,6 +10,8 @@
 
 namespace Zend\Debug;
 
+use Zend\Escaper\Escaper;
+
 /**
  * Concrete class for generating debug dumps related to the output source.
  *
@@ -18,6 +20,10 @@
  */
 class Debug
 {
+    /**
+     * @var Escaper
+     */
+    protected static $escaper = null;
 
     /**
      * @var string
@@ -50,6 +56,31 @@ public static function setSapi($sapi)
         self::$sapi = $sapi;
     }
 
+    /**
+     * Set Escaper instance
+     *
+     * @param  Escaper $escaper
+     */
+    public static function setEscaper(Escaper $escaper)
+    {
+        static::$escaper = $escaper;
+    }
+
+    /**
+     * Get Escaper instance
+     *
+     * Lazy loads an instance if none provided.
+     *
+     * @return Escaper
+     */
+    public static function getEscaper()
+    {
+        if (null === static::$escaper) {
+            static::setEscaper(new Escaper());
+        }
+        return static::$escaper;
+    }
+
     /**
      * Debug helper function.  This is a wrapper for var_dump() that adds
      * the <pre /> tags, cleans up newlines and indents, and runs
@@ -78,7 +109,7 @@ public static function dump($var, $label=null, $echo=true)
                     . PHP_EOL;
         } else {
             if (!extension_loaded('xdebug')) {
-                $output = htmlspecialchars($output, ENT_QUOTES);
+                $output = static::getEscaper()->escapeHtml($output);
             }
 
             $output = '<pre>'