sanitize tracking code displayed in the UI on output, not input #8123
Labels
c: Platform
For Matomo platform changes that aren't impacting any of our APIs but improve the core itself.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Technical debt
Issues the will help to reduce technical debt
Milestone
In TrackingCodeGenerator::generate(),
htmlentities()
is used (improperly) to escape HTML characters. The result is then outputted w/o escaping in _displayJavascriptCode.twig. Instead, TrackingCodeGenerator should return JS code w/o any additional processing/escaping, and it should be escaped only in HTML/XML output.This is BC breaking since it affects API output. Users of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.
Refs #4231, #8109
The text was updated successfully, but these errors were encountered: