diff options
| author | Christian Schmidt <github@chsc.dk> | 2018-04-23 06:01:28 +0300 |
|---|---|---|
| committer | Matthieu Aubry <mattab@users.noreply.github.com> | 2018-04-23 06:01:28 +0300 |
| commit | cde2b27ec4343aaeb5a21aa39a2f10c26d7bbb02 (patch) | |
| tree | 987c37386cf356689e418f3ff80fc1396970cf1f | |
| parent | ebf902a6df433ce2cfc4b24b47b94e194f24ac37 (diff) | |
Escape ampersands in URLs (#12731)
| -rw-r--r-- | plugins/Morpheus/templates/javascriptCode.twig | 2 | ||||
| -rw-r--r-- | plugins/SitesManager/API.php | 7 | ||||
| -rw-r--r-- | tests/PHPUnit/Integration/Tracker/TrackerCodeGeneratorTest.php | 2 |
3 files changed, 6 insertions, 5 deletions
diff --git a/plugins/Morpheus/templates/javascriptCode.twig b/plugins/Morpheus/templates/javascriptCode.twig index 155f8f4d4c..722fc28069 100644 --- a/plugins/Morpheus/templates/javascriptCode.twig +++ b/plugins/Morpheus/templates/javascriptCode.twig @@ -15,6 +15,6 @@ </script> {% if not loadAsync %}<script type='text/javascript' src="{$protocol}{$piwikUrl}/piwik.js"></script> {% endif %} -{% if trackNoScript %}<noscript><p><img src="{$protocol}{$piwikUrl}/piwik.php?idsite={$idSite}&rec=1" style="border:0;" alt="" /></p></noscript> +{% if trackNoScript %}<noscript><p><img src="{$protocol}{$piwikUrl}/piwik.php?idsite={$idSite}&rec=1" style="border:0;" alt="" /></p></noscript> {% endif %} <!-- End Matomo Code --> diff --git a/plugins/SitesManager/API.php b/plugins/SitesManager/API.php index a42802d4fe..560dff863a 100644 --- a/plugins/SitesManager/API.php +++ b/plugins/SitesManager/API.php @@ -167,10 +167,11 @@ class API extends \Piwik\Plugin\API */ Piwik::postEvent('SitesManager.getImageTrackingCode', array(&$piwikUrl, &$urlParams)); - $piwikUrl = (ProxyHttp::isHttps() ? "https://" : "http://") . $piwikUrl . '/piwik.php'; - return "<!-- Matomo Image Tracker--> -<img src=\"$piwikUrl?" . Url::getQueryStringFromParameters($urlParams) . "\" style=\"border:0\" alt=\"\" /> + $url = (ProxyHttp::isHttps() ? "https://" : "http://") . $piwikUrl . '/piwik.php?' . Url::getQueryStringFromParameters($urlParams); + $html = "<!-- Matomo Image Tracker--> +<img src=\"" . htmlspecialchars($url, ENT_COMPAT, 'UTF-8') . "\" style=\"border:0\" alt=\"\" /> <!-- End Matomo -->"; + return htmlspecialchars($html, ENT_COMPAT, 'UTF-8'); } /** diff --git a/tests/PHPUnit/Integration/Tracker/TrackerCodeGeneratorTest.php b/tests/PHPUnit/Integration/Tracker/TrackerCodeGeneratorTest.php index d4469dcca1..420a1c35aa 100644 --- a/tests/PHPUnit/Integration/Tracker/TrackerCodeGeneratorTest.php +++ b/tests/PHPUnit/Integration/Tracker/TrackerCodeGeneratorTest.php @@ -62,7 +62,7 @@ class TrackerCodeGeneratorTest extends IntegrationTestCase g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s); })(); </script> -<noscript><p><img src="//piwik-server/piwik/piwik.php?idsite=1&rec=1" style="border:0;" alt="" /></p></noscript> +<noscript><p><img src="//piwik-server/piwik/piwik.php?idsite=1&amp;rec=1" style="border:0;" alt="" /></p></noscript> <!-- End Matomo Code --> "; |