The tracking code generator was not escaping quotes in string values (e.g. tracking custom variables).
Was reported in #8035
JS Tracking Code > Advanced > "Track Custom variables for this visitor" -> set Name to
hello"world -> in the JS code Expected to get
"hello\"world", Got instead:
Also the automatic HTML entities encoding for API parameters was messing things up (yet another #4231 win), I added a temporary fix to remove later.
Reviewers: please give another look for XSS issues.
The JS tracking code in jsTrackingGenerator.js uses
.html to insert the code, so no XSS issues there.
|raw. There might be an XSS issue here, though it will only be triggered if somehow the other
generate() parameters are used.
I think after the TODO that's in the code is dealt w/, and the above XSS is verified to be a non-issue, this can be merged.
Created new issue here: #8123