Lack of escaping in javascript causes page errors

  • Resolved urikanonov

    (@urikanonov)


    2 years ago

    Looks like the pintrest plugin when adding pintrk calls, doesn’t escape the product name and if it contains ‘ then it generates invalid javascript. I’m using Version 1.2.16.
    Problematic code is in Tracking.src :: get_add_to_cart_snippet_product

    $tracking = <<< JS
    jQuery( function( $ ) {
    $( document.body ).on( ‘added_to_cart’, function( e, fragments, cart_hash, thisbutton ) {
    var quantity = document.querySelector( ‘input.qty[name=”quantity”]’ ).value;
    pintrk( ‘track’, ‘AddToCart’, {
    ‘product_id’: ‘{$product_id}’,
    ‘product_name’: ‘{$product_name}’, <— here
    ‘value’: {$product_price} * quantity,
    ‘order_quantity’: quantity,
    ‘currency’: ‘{$wc_currency}’
    } );
    } );
    } );

Viewing 1 replies (of 1 total)
  • Plugin Support darcie

    (@darciemg)

    Hey there,

    Apologies for the late reply here! I hadn’t seen this reported before, but I was able to reproduce the error when adding an apostrophe in a product name.

    It looks like another user has opened up an issue in our GitHub repo and linked to your report as well. You can follow it here: https://github.com/woocommerce/pinterest-for-woocommerce/issues/716
    Any development will take place in GitHub. You can watch for updates there, or look out for a changelog entry to know when this is resolved.

    Thanks for this report!

Viewing 1 replies (of 1 total)
  • The topic ‘Lack of escaping in javascript causes page errors’ is closed to new replies.