Custom vars aren't escaped, breaks the analytics javascript

Hi Joost,

I found a bug – it often comes up because of my surname “O’Rourke”

The apostrophe breaks more sites and reveals more SQL injection holes around the web than you’d believe!

In your plugin when I add the author as a custom var it was using my surname as part of it but without stripping or escaping the quote. It’s not the end of the world but I’ve lost about 2 weeks of data.

The fix would be to add something to the str_clean() method in class-frontend.php or perhaps just run it through sanitize_key() before the remove_accents() call.

Cheers,
Rob

https://www.ads-software.com/plugins/google-analytics-for-wordpress/