From 3ff0cbe3116185afb316e3b14db33e701c52765b Mon Sep 17 00:00:00 2001
From: c <c@echo.local>
Date: Thu, 12 Jan 2023 13:17:26 +0000
Subject: [PATCH] Feature - Google Analytics - Simplified Module & Escaped the
 Script to prevent XXS.

---
 server/model/status_page.js        |  5 ++-
 server/modules/google-analytics.js | 53 ++++++++++++++----------------
 2 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/server/model/status_page.js b/server/model/status_page.js
index 2d90b639..a65a7da1 100644
--- a/server/model/status_page.js
+++ b/server/model/status_page.js
@@ -56,7 +56,10 @@ class StatusPage extends BeanModel {
 
         await StatusPage.getStatusPageData(statusPage).then( (page) => {
             if (page.config?.googleAnalyticsId) {
-                head.append($(googleAnalytics.getGoogleAnalyticsScript(page.config.googleAnalyticsId)));
+                let escapedGoogleAnalyticsScript = jsesc(googleAnalytics.getGoogleAnalyticsScript(page.config.googleAnalyticsId), {
+                    "isScriptContext": true
+                });
+                head.append($(escapedGoogleAnalyticsScript));
             }
         });
 
diff --git a/server/modules/google-analytics.js b/server/modules/google-analytics.js
index 2c10e584..4e0c95b2 100644
--- a/server/modules/google-analytics.js
+++ b/server/modules/google-analytics.js
@@ -1,30 +1,27 @@
-let GoogleAnalytics = (() => {
-    /**
-     * Returns a string that represents the javascript that is required to insert the Google Analytics scripts
-     * into a webpage.
-     * @param tagId Google UA/G/AW/DC Property ID to use with the Google Analytics script.
-     * @returns {string}
-     */
-    function getGoogleAnalyticsScript(tagId) {
-        return "<script async src=\"https://www.googletagmanager.com/gtag/js?id=" + tagId + "\"></script>" +
-            "<script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '" + tagId + "'); </script>";
-    }
+/**
+ * Returns true if the tag conforms to the format of 1-2 Letters followed by a dash and 8 numbers.
+ * This should take care of the following property tag formats:
+ * UA-########, G-########, AW-########, DC-########
+ * @param {String} tagInput Google UA/G/AW/DC Property ID
+ * @returns {boolean}
+ */
+function isValidTag(tagInput) {
+    const re = /^\w{1,2}-\d{8}$/g;
+    return tagInput.match(re) != null;
+}
 
-    /**
-     * Returns true if the tag conforms to the format of 1-2 Letters followed by a dash and 8 numbers.
-     * This should take care of the following property tag formats:
-     * UA-########, G-########, AW-########, DC-########
-     * @param {String} tagInput Google UA/G/AW/DC Property ID
-     * @returns {boolean}
-     */
-    function isValidTag(tagInput) {
-        const re = /^\w{1,2}-\d{8}$/g;
-        return tagInput.match(re) != null;
-    }
-    return {
-        getGoogleAnalyticsScript: getGoogleAnalyticsScript,
-        isValidTag: isValidTag
-    };
-})();
+/**
+ * Returns a string that represents the javascript that is required to insert the Google Analytics scripts
+ * into a webpage.
+ * @param tagId Google UA/G/AW/DC Property ID to use with the Google Analytics script.
+ * @returns {string}
+ */
+function getGoogleAnalyticsScript(tagId) {
+    return "<script async src=\"https://www.googletagmanager.com/gtag/js?id=" + tagId + "\"></script>" +
+        "<script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '" + tagId + "'); </script>";
+}
 
-module.exports = GoogleAnalytics;
+module.exports = {
+    getGoogleAnalyticsScript,
+    isValidTag,
+};