The append_* methods write their properties directly to a <script> tag without any sanitization - this means that if you're pushing user-generated content to Mixpanel using i.e. append_track, the user can inject arbitrary Javascript in the generated page.
This change recursively escapes strings in the properties object using ActionView's escape_javascript implementation.
The
append_*
methods write their properties directly to a<script>
tag without any sanitization - this means that if you're pushing user-generated content to Mixpanel using i.e.append_track
, the user can inject arbitrary Javascript in the generated page.This change recursively escapes strings in the properties object using ActionView's
escape_javascript
implementation.