Merge pull request from GHSA-v4v2-8h88-65qj

package-lock.json

@@ -33,6 +33,7 @@
                 "express-static-gzip": "~2.1.7",
                 "form-data": "~4.0.0",
                 "gamedig": "~4.1.0",
+                "html-escaper": "^3.0.3",
                 "http-graceful-shutdown": "~3.1.7",
                 "http-proxy-agent": "~5.0.0",
                 "https-proxy-agent": "~5.0.1",
@@ -10747,10 +10748,9 @@
             "dev": true
         },
         "node_modules/html-escaper": {
-            "version": "2.0.2",
+            "version": "3.0.3",
-            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-3.0.3.tgz",
-            "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+            "integrity": "sha512-RuMffC89BOWQoY0WKGpIhn5gX3iI54O6nRA0yC124NYVtzjmFWBIiFd8M0x+ZdX0P9R4lADg1mgP8C7PxGOWuQ=="
-            "dev": true
         },
         "node_modules/html-tags": {
             "version": "3.3.1",
@@ -11558,6 +11558,12 @@
                 "node": ">=8"
             }
         },
+        "node_modules/istanbul-reports/node_modules/html-escaper": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
+            "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+            "dev": true
+        },
         "node_modules/jackspeak": {
             "version": "2.3.6",
             "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz",

package.json

@@ -100,6 +100,7 @@
         "express-static-gzip": "~2.1.7",
         "form-data": "~4.0.0",
         "gamedig": "~4.1.0",
+        "html-escaper": "^3.0.3",
         "http-graceful-shutdown": "~3.1.7",
         "http-proxy-agent": "~5.0.0",
         "https-proxy-agent": "~5.0.1",

server/google-analytics.js

@@ -1,4 +1,5 @@
 const jsesc = require("jsesc");
+const { escape } = require("html-escaper");
 
 /**
  * Returns a string that represents the javascript that is required to insert the Google Analytics scripts
@@ -7,15 +8,18 @@ const jsesc = require("jsesc");
  * @returns {string}
  */
 function getGoogleAnalyticsScript(tagId) {
-    let escapedTagId = jsesc(tagId, { isScriptContext: true });
+    let escapedTagIdJS = jsesc(tagId, { isScriptContext: true });
 
-    if (escapedTagId) {
+    if (escapedTagIdJS) {
-        escapedTagId = escapedTagId.trim();
+        escapedTagIdJS = escapedTagIdJS.trim();
     }
 
+    // Escape the tag ID for use in an HTML attribute.
+    let escapedTagIdHTMLAttribute = escape(tagId);
+
     return `
-        <script async src="https://www.googletagmanager.com/gtag/js?id=${escapedTagId}"></script>
+        <script async src="https://www.googletagmanager.com/gtag/js?id=${escapedTagIdHTMLAttribute}"></script>
-        <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '${escapedTagId}'); </script>
+        <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '${escapedTagIdJS}'); </script>
     `;
 }