From f28dccf4e11f041564293e4f407e69ab9ee2277f Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Fri, 24 Nov 2023 17:18:01 +0800 Subject: [PATCH] Merge pull request from GHSA-v4v2-8h88-65qj --- package-lock.json | 14 ++++++++++---- package.json | 1 + server/google-analytics.js | 14 +++++++++----- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 81bfcf76f..8cf653a17 100644 --- a/package-lock.json +++ b/package-lock.json @@ -33,6 +33,7 @@ "express-static-gzip": "~2.1.7", "form-data": "~4.0.0", "gamedig": "~4.1.0", + "html-escaper": "^3.0.3", "http-graceful-shutdown": "~3.1.7", "http-proxy-agent": "~5.0.0", "https-proxy-agent": "~5.0.1", @@ -10747,10 +10748,9 @@ "dev": true }, "node_modules/html-escaper": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz", - "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==", - "dev": true + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-3.0.3.tgz", + "integrity": "sha512-RuMffC89BOWQoY0WKGpIhn5gX3iI54O6nRA0yC124NYVtzjmFWBIiFd8M0x+ZdX0P9R4lADg1mgP8C7PxGOWuQ==" }, "node_modules/html-tags": { "version": "3.3.1", @@ -11558,6 +11558,12 @@ "node": ">=8" } }, + "node_modules/istanbul-reports/node_modules/html-escaper": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz", + "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==", + "dev": true + }, "node_modules/jackspeak": { "version": "2.3.6", "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz", diff --git a/package.json b/package.json index b6c7c22d3..cb108bd3e 100644 --- a/package.json +++ b/package.json @@ -100,6 +100,7 @@ "express-static-gzip": "~2.1.7", "form-data": "~4.0.0", "gamedig": "~4.1.0", + "html-escaper": "^3.0.3", "http-graceful-shutdown": "~3.1.7", "http-proxy-agent": "~5.0.0", "https-proxy-agent": "~5.0.1", diff --git a/server/google-analytics.js b/server/google-analytics.js index fc9fbec84..3e8e645f4 100644 --- a/server/google-analytics.js +++ b/server/google-analytics.js @@ -1,4 +1,5 @@ const jsesc = require("jsesc"); +const { escape } = require("html-escaper"); /** * Returns a string that represents the javascript that is required to insert the Google Analytics scripts @@ -7,15 +8,18 @@ const jsesc = require("jsesc"); * @returns {string} */ function getGoogleAnalyticsScript(tagId) { - let escapedTagId = jsesc(tagId, { isScriptContext: true }); + let escapedTagIdJS = jsesc(tagId, { isScriptContext: true }); - if (escapedTagId) { - escapedTagId = escapedTagId.trim(); + if (escapedTagIdJS) { + escapedTagIdJS = escapedTagIdJS.trim(); } + // Escape the tag ID for use in an HTML attribute. + let escapedTagIdHTMLAttribute = escape(tagId); + return ` - - + + `; }