![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png){kind=small}
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=1602
[commit: http://hg.dwscoalition.org/dw-free/rev/fdb51799fa25]
http://bugs.dwscoalition.org/show_bug.cgi?id=1602
Fix unsanitized output issue with Google Analytics ids.
Patch by![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
rat.
Files modified:
http://bugs.dwscoalition.org/show_bug.cgi?id=1602
Fix unsanitized output issue with Google Analytics ids.
Patch by
rat.Files modified:
- bin/upgrading/en.dat
- cgi-bin/DW/PageStats/GoogleAnalytics.pm
- cgi-bin/DW/Setting/GoogleAnalytics.pm
--------------------------------------------------------------------------------
diff -r 2959a543e2d9 -r fdb51799fa25 bin/upgrading/en.dat
--- a/bin/upgrading/en.dat Mon Aug 17 13:46:16 2009 -0500
+++ b/bin/upgrading/en.dat Tue Aug 18 02:37:21 2009 +0000
@@ -2663,6 +2663,8 @@ setting.graphicpreviews.option.comm=Allo
setting.graphicpreviews.option.self=Display a preview of external links when hovering over them
+setting.googleanalytics.error.invalid=Invalid Google Analytics ID entered, must be of the format: UA-NNNNNNN-NN (where N represents numbers).
+
setting.googleanalytics.label=Google Analytics ID
setting.imageplaceholders.error.invalid=Invalid image size.
diff -r 2959a543e2d9 -r fdb51799fa25 cgi-bin/DW/PageStats/GoogleAnalytics.pm
--- a/cgi-bin/DW/PageStats/GoogleAnalytics.pm Mon Aug 17 13:46:16 2009 -0500
+++ b/cgi-bin/DW/PageStats/GoogleAnalytics.pm Tue Aug 18 02:37:21 2009 +0000
@@ -29,8 +29,12 @@ sub render {
$code = $LJ::SITE_PAGESTAT_CONFIG{google_analytics};
} elsif ( $ctx eq 'journal' ) {
$code = LJ::get_active_journal()->google_analytics;
+ # the ejs call isn't strictly necessary but catches any
+ # dodgy analytics codes which may have been stored before
+ # validation was implemented.
+ $code = LJ::ejs( $code );
}
-
+
return qq{
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
diff -r 2959a543e2d9 -r fdb51799fa25 cgi-bin/DW/Setting/GoogleAnalytics.pm
--- a/cgi-bin/DW/Setting/GoogleAnalytics.pm Mon Aug 17 13:46:16 2009 -0500
+++ b/cgi-bin/DW/Setting/GoogleAnalytics.pm Tue Aug 18 02:37:21 2009 +0000
@@ -56,7 +56,13 @@ sub save {
my $txt = $class->get_arg( $args, "code" );
$txt = LJ::trim( $txt || "" );
$txt = LJ::text_trim( $txt, 0, 100 );
- $u->google_analytics ( $txt );
+ # Check that the ID matches the format UA-number-number
+ # or is blank before proceeding.
+ if ( $txt =~ /^UA-\d{1,20}-\d{1,5}$/i or $txt eq "" ) {
+ $u->google_analytics ( $txt );
+ } else {
+ $class->errors( "code" => $class->ml( 'setting.googleanalytics.error.invalid' ) ) ;
+ }
return 1;
}
--------------------------------------------------------------------------------