Merge branch 'master' into next

# Conflicts:
#	CHANGELOG.md
#	package-lock.json

Author: ar2rsawseen

.github/workflows/main.yml

@@ -280,6 +280,13 @@ jobs:
           wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -O /tmp/chrome.deb
           apt install -y /tmp/chrome.deb
 
+      - name: Install Sharp dependencies for image processing
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -y
+          apt-get install -y libvips-dev
+
       - name: Copy code
         shell: bash
         run: |
@@ -338,8 +345,8 @@ jobs:
         working-directory: /opt/countly/ui-tests/cypress
         run: |
           ARTIFACT_ARCHIVE_NAME="$(date '+%Y%m%d-%H.%M')_${GITHUB_REPOSITORY#*/}_CI#${{ github.run_number }}_${{ matrix.test_type }}.tar.gz"
-          mkdir -p screenshots videos
-          tar zcvf "$ARTIFACT_ARCHIVE_NAME" screenshots videos
+          mkdir -p screenshots videos downloads
+          tar zcvf "$ARTIFACT_ARCHIVE_NAME" screenshots videos downloads
           curl -o /tmp/uploader.log -u "${{ secrets.BOX_UPLOAD_AUTH }}" ${{ secrets.BOX_UPLOAD_PATH }} -T "$ARTIFACT_ARCHIVE_NAME"
 
   ui-test-sdk:

CHANGELOG.md

@@ -2,15 +2,38 @@
 Dependencies:
 - Remove SQLite
 
+## Version 25.03.xx
+Fixes:
+- [push] Fixed timeout setting
+- [security] Fixed injection possibility on res.expose
+
+Enterprise Fixes:
+- [groups] Add logs for user updates
+- [surveys] Change question map log to debug log
+
+Enterprise Fixes:
+- [data-manager] Fixed bug when merging events with ampersand symbol in the name
+
+Dependencies:
+- Bump axios from 1.12.2 to 1.13.1 in /plugins/cognito
+- Bump csvtojson from 1.1.12 to 2.0.14
+- Bump eslint-plugin-vue from 10.5.0 to 10.5.1
+- Bump express-rate-limit from 8.1.0 to 8.2.0
+- Bump get-random-values from 4.0.0 to 4.1.0
+- Bump lint-staged from 16.2.4 to 16.2.6
+- Bump mockttp from 4.2.0 to 4.2.1 in /plugins/crash_symbolication
+- Bump nodemailer from 7.0.9 to 7.0.10
+- Bump puppeteer from 24.25.0 to 24.27.0
+- Bump vite from 7.1.10 to 7.1.12
+
 ## Version 25.03.25
 Fixes:
 - [crashes] Fixed resolving audit log recording
 - [location] Fixed updating none gps coordinate location after gps location was used
-- 
+
 Enterprise Fixes:
 - [ab-testing] Add script for fixing variant cohort
 - [groups] Fix user permission update after updating user group permission
-
 ## Version 25.03.24
 Fixes:
 - [jobs] Fix condition for scheduling alert job

bin/scripts/device_list/package-lock.json

@@ -23,6 +23,6 @@
   },
   "homepage": "https://count.ly/",
   "dependencies": {
-    "csvtojson": "^1.1.9"
+    "csvtojson": "^2.0.13"
   }
 }

bin/scripts/device_list/package.json

@@ -438,8 +438,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
         next();
     });
 
-    app.use('*.svg', function(req, res, next) {
-        res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+    app.use(function(req, res, next) {
+        if (req.path.endsWith('.svg')) {
+            res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+        }
         next();
     });
 

frontend/express/app.js

@@ -157,7 +157,7 @@ function renderNamespace(str) {
 function renderObject(obj, namespace) {
     return Object.keys(obj).map(function(key) {
         var val = obj[key];
-        return namespace + '["' + key + '"] = ' + string(val) + ';';
+        return namespace + '["' + escape_js_string(key) + '"] = ' + string(val) + ';';
     }).join('\n');
 }
 
@@ -180,61 +180,49 @@ function string(obj) {
     }
     else if ('[object Object]' === Object.prototype.toString.call(obj)) {
         return '{' + Object.keys(obj).map(function(key) {
-            return '"' + key + '":' + string(obj[key]);
+            return '"' + escape_js_string(key) + '":' + string(obj[key]);
         }).join(', ') + '}';
     }
     else {
-        obj = escape_html(JSON.stringify(obj));
+        obj = JSON.stringify(obj);
         if (obj) {
+            // Only escape things that could break out of script context
             obj = obj.replace(/<\/script>/ig, '</scr"+"ipt>');
+            obj = obj.replace(/<!--/g, '<\\!--');
+            obj = obj.replace(/\u2028/g, '\\u2028'); // Line separator
+            obj = obj.replace(/\u2029/g, '\\u2029'); // Paragraph separator
         }
         return obj;
     }
 }
 
-var matchHtmlRegExp = /[<>]/;
-
 /**
-* Escape special characters in the given string of html.
+* Escape special characters that could break JavaScript string context
 *
-* @param  {string} str - The string to escape for inserting into HTML
+* @param  {string} str - The string to escape
 * @return {string} escaped string
 * @public
 */
-function escape_html(str) {
-    str = '' + str;
-    var match = matchHtmlRegExp.exec(str);
-
-    if (!match) {
+function escape_js_string(str) {
+    if (typeof str !== 'string') {
         return str;
     }
 
-    var escape;
-    var html = '';
-    var index = 0;
-    var lastIndex = 0;
-
-    for (index = match.index; index < str.length; index++) {
-        switch (str.charCodeAt(index)) {
-        case 60: // <
-            escape = '&lt;';
-            break;
-        case 62: // >
-            escape = '&gt;';
-            break;
-        default:
-            continue;
-        }
-
-        if (lastIndex !== index) {
-            html += str.substring(lastIndex, index);
-        }
-
-        lastIndex = index + 1;
-        html += escape;
-    }
-
-    return lastIndex !== index ? html + str.substring(lastIndex, index) : html;
+    return str
+        .replace(/\\/g, '\\\\') // Backslash
+        .replace(/"/g, '\\"') // Double quote
+        .replace(/'/g, "\\'") // Single quote
+        .replace(/`/g, '\\`') // Backtick (template literal)
+        .replace(/\$/g, '\\$') // Dollar sign (template literal)
+        .replace(/\n/g, '\\n') // Newline
+        .replace(/\r/g, '\\r') // Carriage return
+        .replace(/\t/g, '\\t') // Tab
+        .replace(/\f/g, '\\f') // Form feed
+        .replace(/\v/g, '\\v') // Vertical tab
+        .replace(/\0/g, '\\0') // Null character
+        .replace(/[\u0000-\u001F\u007F-\u009F]/g, function(ch) {
+            return '\\u' + ('0000' + ch.charCodeAt(0).toString(16)).slice(-4);
+        });
 }
 
 exports = module.exports = function(app) {