@mnapoli opened this issue on June 15th 2015

The tracking code generator was not escaping quotes in string values (e.g. tracking custom variables).

Was reported in #8035

JS Tracking Code > Advanced > "Track Custom variables for this visitor" -> set Name to hello"world -> in the JS code Expected to get "hello\"world", Got instead: "hello"world"

Also the automatic HTML entities encoding for API parameters was messing things up (yet another #4231 win), I added a temporary fix to remove later.

Reviewers: please give another look for XSS issues.

@diosmosis commented on June 16th 2015

The JS tracking code in jsTrackingGenerator.js uses .val not .html to insert the code, so no XSS issues there.

I see that TrackingCodeGenerator is used when rendering the _displayJavascriptCode template, but the template outputs the tracker code via |raw. There might be an XSS issue here, though it will only be triggered if somehow the other generate() parameters are used.

I think after the TODO that's in the code is dealt w/, and the above XSS is verified to be a non-issue, this can be merged.

@diosmosis commented on June 16th 2015

Created new issue here: #8123

This issue was closed on June 16th 2015
Powered by GitHub Issue Mirror