Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed issue #19442: Generated analytics script does not properly escape question group name #3761

Merged
merged 2 commits into from
Mar 4, 2024
Merged

Fixed issue #19442: Generated analytics script does not properly escape question group name #3761

merged 2 commits into from
Mar 4, 2024

Conversation

mfavetti
Copy link
Contributor

Fixed issue #19442: Generated analytics script does not properly escape question group name

https://bugs.limesurvey.org/view.php?id=19442

master

Shnoulle
Shnoulle reviewed Feb 27, 2024
View reviewed changes
Copy link
Collaborator

@Shnoulle Shnoulle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer to encode only part of the data

Else : GA have a documentation about authorized character ?

application/core/LS_Twig_Extension.php Outdated
@@ -746,7 +746,7 @@ public static function getGoogleAnalyticsTrackingUrl($surveyId, $trackUrlPageNam
}
}

$trackURL = htmlspecialchars($surveyName . '-[' . $surveyId . ']/[' . $page . ']-' . $groupName);
$trackURL = htmlspecialchars($surveyName . '-[' . $surveyId . ']/[' . $page . ']-' . $groupName, ENT_QUOTES);
Copy link
Collaborator

@Shnoulle Shnoulle Feb 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

htmlspecialchars($surveyName) . '-[' . $surveyId . ']/[' . $page . ']-' . htmlspecialchars($groupName)

Maybe use Chtml::encode ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this issue is not related to GA itself at all

limesurvey is generating javascript (in this context a string), so the contents of the string must be properly escaped or the browser will not be able to properly parse the javascript. i think it's appropriate to escape the function's entire return value as it's dumped directly into a javascript context later by twig:

LimeSurvey/themes/survey/vanilla/views/subviews/header/google_analytics.twig

Line 56 in ddf8833

gtag('event', 'page_view', { page_title: '{{ trackUrl }}' })

usage of Chtml::encode vs htmlspecialchars seems to be split 50/50 across code base, is Chtml::encode the preferred method?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this issue is not related to GA itself at all

OK

limesurvey is generating javascript (in this context a string), so the contents of the string must be properly escaped or the browser will not be able to properly parse the javascript. i think it's appropriate to escape the function's entire return value as it's dumped directly into a javascript context later by twig:

Then escape it in twig part ? No ?

usage of Chtml::encode vs htmlspecialchars seems to be split 50/50 across code base, is Chtml::encode the preferred method?

I don't know, but i always think it's better to use framework functionnality if we have a framework. Personnal opinion here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok will escape in twig and update tmrw

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok will escape in twig and update tmrw

Still my opinion :) Not sure at 100% (i set it as comment, not are "To update")

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok will escape in twig and update tmrw

Oh ! It's not only an opinion : if someone fix it in template : you broke the fix.

This NEED to be done in template only ! Else : broke API.

Shnoulle
Shnoulle requested changes Feb 27, 2024
View reviewed changes
Copy link
Collaborator

@Shnoulle Shnoulle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't broke API : if someone fix views/subviews/header/google_analytics.twig in extended theme : updating value sent : you broke the theme.

@Shnoulle Shnoulle added Code review done Version checked for code issue without testing and removed Needs update by author Needs code review labels Feb 28, 2024
@tiborpacalat tiborpacalat added Tested OK This PR has been tested by QA and works as expected and removed Needs testing labels Mar 4, 2024
@tiborpacalat tiborpacalat merged commit b23b003 into LimeSurvey:master Mar 4, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Shnoulle Shnoulle Shnoulle approved these changes

Assignees
No one assigned
Labels
Code review done Version checked for code issue without testing Tested OK This PR has been tested by QA and works as expected
Projects
None yet
Milestone
No milestone
3 participants
@mfavetti @Shnoulle @tiborpacalat