The documentation for Zend_View shows an escape($var) method. It also suggests that it should be manually invoked for each variable we want to display: $this->escape($this->var);
Is there a way to extend Zend_View to automatically escape?
This is a risky thing to consider for two reasons.
Firstly, the type of escaping required depends on the context in which the variable is output. E.g. outputting a string in the middle of some HTML requires different characters to be escaped than outputting it within some <script> tags, or as the value of a HTML attribute.
Secondly, what would you do about objects? Consider echo $this->name vs. echo $this->user->name (where $this->user is a instance of a class). In the latter example ->name could even be a dynamically generated string that is the result of a __get() call. There's no way for this to be auto-escaped, so you end up in a situation where some of your data is auto-escaped and some hasn't. Arguably this is less secure than the out-of-the-box-escape-it-yourself approach, as it provides a false sense of security.