During a review of a pull request on a different project, a security concern was identified regarding the direct usage of template variables ({{ site.google-analytics-id }}) in JavaScript, which could potentially lead to XSS attacks. While template variables are HTML escaped, this does not always prevent XSS attacks when used in JavaScript.
To enhance security, it's suggested to place this data in the HTML portion outside of a script tag or use a JavaScript-specific encoder. For example:
This approach minimizes the risk of XSS attacks by avoiding direct insertion of template variables into JavaScript.
This issue was raised in the context of a PR review on the Stadt-Geschichte-Basel/forschung.stadtgeschichtebasel.ch repository. It's recommended to review and potentially apply this security enhancement across relevant projects.
evanwill
commented
4 months ago
During a review of a pull request on a different project, a security concern was identified regarding the direct usage of template variables (
{{ site.google-analytics-id }}) in JavaScript, which could potentially lead to XSS attacks. While template variables are HTML escaped, this does not always prevent XSS attacks when used in JavaScript.To enhance security, it's suggested to place this data in the HTML portion outside of a script tag or use a JavaScript-specific encoder. For example:
This approach minimizes the risk of XSS attacks by avoiding direct insertion of template variables into JavaScript.
This issue was raised in the context of a PR review on the Stadt-Geschichte-Basel/forschung.stadtgeschichtebasel.ch repository. It's recommended to review and potentially apply this security enhancement across relevant projects.
PR URL: https://github.com/Stadt-Geschichte-Basel/forschung.stadtgeschichtebasel.ch/pull/39 Comment URL: https://github.com/Stadt-Geschichte-Basel/forschung.stadtgeschichtebasel.ch/pull/39#discussion_r1502395129