-
Notifications
You must be signed in to change notification settings - Fork 987
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed issue #19442: Generated analytics script does not properly escape question group name #3761
Conversation
…pe question group name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer to encode only part of the data
Else : GA have a documentation about authorized character ?
@@ -746,7 +746,7 @@ public static function getGoogleAnalyticsTrackingUrl($surveyId, $trackUrlPageNam | |||
} | |||
} | |||
|
|||
$trackURL = htmlspecialchars($surveyName . '-[' . $surveyId . ']/[' . $page . ']-' . $groupName); | |||
$trackURL = htmlspecialchars($surveyName . '-[' . $surveyId . ']/[' . $page . ']-' . $groupName, ENT_QUOTES); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
htmlspecialchars($surveyName) . '-[' . $surveyId . ']/[' . $page . ']-' . htmlspecialchars($groupName)
Maybe use Chtml::encode ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this issue is not related to GA itself at all
limesurvey is generating javascript (in this context a string), so the contents of the string must be properly escaped or the browser will not be able to properly parse the javascript. i think it's appropriate to escape the function's entire return value as it's dumped directly into a javascript context later by twig:
gtag('event', 'page_view', { page_title: '{{ trackUrl }}' }) |
usage of Chtml::encode vs htmlspecialchars seems to be split 50/50 across code base, is Chtml::encode the preferred method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this issue is not related to GA itself at all
OK
limesurvey is generating javascript (in this context a string), so the contents of the string must be properly escaped or the browser will not be able to properly parse the javascript. i think it's appropriate to escape the function's entire return value as it's dumped directly into a javascript context later by twig:
Then escape it in twig part ? No ?
usage of Chtml::encode vs htmlspecialchars seems to be split 50/50 across code base, is Chtml::encode the preferred method?
I don't know, but i always think it's better to use framework functionnality if we have a framework. Personnal opinion here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok will escape in twig and update tmrw
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok will escape in twig and update tmrw
Still my opinion :) Not sure at 100% (i set it as comment, not are "To update")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok will escape in twig and update tmrw
Oh ! It's not only an opinion : if someone fix it in template : you broke the fix.
This NEED to be done in template only ! Else : broke API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't broke API : if someone fix views/subviews/header/google_analytics.twig in extended theme : updating value sent : you broke the theme.
…pe question group name
Fixed issue #19442: Generated analytics script does not properly escape question group name
https://bugs.limesurvey.org/view.php?id=19442
master