Merge pull request #288 from hostep/fixes-incorrect-escaping-methods-used

jissereitsma · web-flow · commit a68f154ea31b · 2025-10-20T13:51:57.000+02:00
Fixes some more wrong escaping methods being used in frontend files.
diff --git a/view/frontend/templates/hyva/script-product-clicks.phtml b/view/frontend/templates/hyva/script-product-clicks.phtml
@@ -29,7 +29,7 @@ $productPath = $block->getProductPath();
         return yireoGoogleTagManager2FindParentElementWithName(element.parentElement, parentTagName);
     }
 
-    const products = document.querySelectorAll('<?= $escaper->escapeHtml($productPath) ?>');
+    const products = document.querySelectorAll('<?= $escaper->escapeJs($productPath) ?>');
     if (products && products.length > 0) {
         products.forEach(function(product) {
             product.addEventListener('click', function(event, s) {
diff --git a/view/frontend/templates/iframe.phtml b/view/frontend/templates/iframe.phtml
@@ -8,5 +8,6 @@ use Yireo\GoogleTagManager2\Config\Config;
 /** @var Config $config */
 /** @var Template $block */
 $config = $block->getConfig();
+$url = sprintf('%s/ns.html?id=%s', $config->getGoogleTagmanagerUrl(), $config->getId());
 ?>
-<noscript><iframe src="<?= $escaper->escapeUrl($config->getGoogleTagmanagerUrl()) ?>/ns.html?id=<?= $escaper->escapeHtml($config->getId()) ?>" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
+<noscript><iframe src="<?= $escaper->escapeUrl($url) ?>" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
diff --git a/view/frontend/templates/luma/script-product-clicks.phtml b/view/frontend/templates/luma/script-product-clicks.phtml
@@ -17,6 +17,6 @@ $productPath = $block->getProductPath();
 ?>
 <script>
     require(['yireoGoogleTagManagerProductClicks'], function(clicks) {
-        clicks({productPath: '<?= $escaper->escapeHtml($productPath) ?>'});
+        clicks({productPath: '<?= $escaper->escapeJs($productPath) ?>'});
     });
 </script>
diff --git a/view/frontend/templates/product/details.phtml b/view/frontend/templates/product/details.phtml
@@ -21,5 +21,5 @@ $product = $productDetails->getProduct();
 $productData = $dataLayer->toJson($productDetails->merge());
 ?>
 <script>
-    window['YIREO_GOOGLETAGMANAGER2_PRODUCT_DATA_ID_<?= $escaper->escapeHtml($product->getId()) ?>'] = <?= /* @noEscape */ $productData ?>;
+    window['YIREO_GOOGLETAGMANAGER2_PRODUCT_DATA_ID_<?= $escaper->escapeJs($product->getId()) ?>'] = <?= /* @noEscape */ $productData ?>;
 </script>
diff --git a/view/frontend/templates/script.phtml b/view/frontend/templates/script.phtml
@@ -32,9 +32,9 @@ $events = ($config->waitForUserInteraction() === false)
                     j = d.createElement(s),
                     dl = l != 'dataLayer' ? '&l=' + l : '';
                 j.async = true;
-                j.src = '<?= $escaper->escapeUrl($config->getGoogleTagmanagerUrl()) ?>' + '/gtm.js?id=' + i + dl;
+                j.src = '<?= $escaper->escapeJs($config->getGoogleTagmanagerUrl()) ?>' + '/gtm.js?id=' + i + dl;
                 f.parentNode.insertBefore(j, f);
-            })(window, document, 'script', 'dataLayer', '<?= $escaper->escapeHtml($gtmId) ?>');
+            })(window, document, 'script', 'dataLayer', '<?= $escaper->escapeJs($gtmId) ?>');
             <?php endforeach; ?>
         };
 

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ $productPath = $block->getProductPath();`
`29`	`29`	`return yireoGoogleTagManager2FindParentElementWithName(element.parentElement, parentTagName);`
`30`	`30`	`}`
`31`	`31`
`32`		`- const products = document.querySelectorAll('<?= $escaper->escapeHtml($productPath) ?>');`
	`32`	`+ const products = document.querySelectorAll('<?= $escaper->escapeJs($productPath) ?>');`
`33`	`33`	`if (products && products.length > 0) {`
`34`	`34`	`products.forEach(function(product) {`
`35`	`35`	`product.addEventListener('click', function(event, s) {`