Skip to content

sanitize tracking code displayed in the UI on output, not input #8123

New issue
New issue
Open
Open
sanitize tracking code displayed in the UI on output, not input#8123
Labels
Technical debtIssues the will help to reduce technical debtc: APIsFor bugs and features in the Matomo HTTP and plugin APIs.c: PlatformFor Matomo platform changes that aren't impacting any of our APIs but improve the core itself.c: UsabilityFor issues that let users achieve a defined goal more effectively or efficiently.
@diosmosis

Description

@diosmosis
diosmosis
opened on Jun 16, 2015

In TrackingCodeGenerator::generate(), htmlentities() is used (improperly) to escape HTML characters. The result is then outputted w/o escaping in _displayJavascriptCode.twig. Instead, TrackingCodeGenerator should return JS code w/o any additional processing/escaping, and it should be escaped only in HTML/XML output.

This is BC breaking since it affects API output. Users of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.

Refs #4231, #8109

Metadata

Metadata

Assignees

No one assigned

    Labels

    Technical debtIssues the will help to reduce technical debtc: APIsFor bugs and features in the Matomo HTTP and plugin APIs.c: PlatformFor Matomo platform changes that aren't impacting any of our APIs but improve the core itself.c: UsabilityFor issues that let users achieve a defined goal more effectively or efficiently.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions