Escape generated javascript in append_* methods

zevarito / mixpanel

Simple lib to track events in Mixpanel service. It can be used in any rack based framework.

MIT License

273 stars 84 forks source link

Escape generated javascript in append_* methods #130

Closed bradleybuda closed 10 years ago

bradleybuda commented 10 years ago

The append_* methods write their properties directly to a <script> tag without any sanitization - this means that if you're pushing user-generated content to Mixpanel using i.e. append_track, the user can inject arbitrary Javascript in the generated page.

This change recursively escapes strings in the properties object using ActionView's escape_javascript implementation.

zevarito commented 10 years ago

@bradleybuda thanks, version 4.1.0 was pushed.