Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In my application I let registered users create their own personal website, and I want to let them add an analytics code into the sites header. I understand that there is a risk letting them add their own content so I have limited only to let them add a Google Analytic code.
What is the worse that could happen if I let them enter their own JavaScript into the header of the website.
How can I go about to limit only the Google Analytic code to be added?
Oh let’s see… They could redirect users to a phishing or malware site; attempt to set up drive-by-downloads; completely rewrite the entire pages contents and steal sessions, login credentials and other information from the user or otherwise deface the site; install a keylogger into the user’s browser whilst they are on your site…
Write a check that ensures the ID string provided fits the pattern that all anayltics IDs must follow. Only allow the characters that may appear in an analytics ID. Generate the rest of the surrounding js code yourself. In the comments @yahelc provides the regex
^UA-\d+-\d+$to validate the UA ID.