0

There is a request on a project which maps the following case:

The client can save Google Analytics tracking code using a page. This code then, is inserted at runtime into the master's page website dynamically.

The part of inserting the script into the master's page was an easy one. One thing that I'm struggling with is the requirement of creating a page where the user can past the Google Analytics javascript code and save it to a sql server table.

Not the page itself but the security concerns. If I let the user to input any javascript code, save it to a database, then this code is inject at runtime into the master's page, I believe there's a HUGE security breach right there.

My question is, how can I implement this with security but still let the freedom for the user to insert the script? Is there a way to check if the script inserted is a real google analytics and not some malicious script? I have done a lot of research but could not find anything usefull, so I believe SO is my last option.

Improve this question

1 Answer 1

Reset to default
1

I would think your best bet is to always keep the GA template, only allowing the "administrator" to pass in the GA account variables, and any code that would go in the "middle" - for example, event tracking code, etc.

That being said.. I understand your concerns.. and they are valid.. but how often will this code change? And since it's code, shouldn't it be tested prior to implementation? Perhaps the best methodology is to have any of these requests go through the development team, and source control, and QA, and then production release? In that regard, you can just "inject" this code from a local txt file, etc, so it's still somewhat plug and play, but with some source management around it...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you for your thoughts on that! I really liked the option about the GA template. I had thought on this option: Only let the user to input his Tracking ID and place the ID inside the js code, on code behind. But my concern is, the GA js code is always the same? The only thing that changes is really the tracking ID?
@jpgrassi yep! All basic GA code is the same, other than account id (of course). The wildcard here is, what if you wanted to track other stuff, like events? That stuff isn't template based, but instead aimed towards unique implementations to track button clicks, file views, etc. I don't think it destroys this model, but just keep it in mind to make sure however you store the template, you can accommodate "extra" code on the appropriate pages...
I see your point. But for now Google Analytics is the only "tracking" they will request. Our system already has a pretty good logging interface to track clicks, events and actions. I'll accept your answer. Thank you!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.