rack-tracker 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f96283c0c0a98829afd90e11bbd5e79d7286f52
-  data.tar.gz: 5ad6fa93e9419ac106f7c53dc7b07afcab142db7
+  metadata.gz: c743ccee29e6faa8c5d71c07d205f3ae15be5919
+  data.tar.gz: efa4ee308684aabf373fb85d37a43d13605d6620
 SHA512:
-  metadata.gz: 4006a72b6a23f2af2d29446842a93f0f6fc7392f75d539bb8344ffad99e81f8405ae365927bbcc58a7cf4848c90cfcbe95264ef86f5de6214895723a5d886caa
-  data.tar.gz: 39be467029907b418117f7c8457b5268c1dbf0a8ea656bf346d5d8c92f9374c75745d2bdc74625c0c02316a1f7fc36ca1c3b3b0461476f7b2a3e2926bf45c3ff
+  metadata.gz: 579341d83332e1859080caf204e1ad92194c18e9e175194ca75701a23873dc4baa6e21fd97618d1b8d6bafdf70fdc3ee76c73fabbc2e62325c8824420ce4aa73
+  data.tar.gz: 2549534848b0a718337d61950f56b78e2def2c7e2d723f95dec60605bf868064b8ab15057e9d70f654f43acdadc44034d60ca8a02f6706af7be4c30c962c18d4

data/.travis.yml

@@ -1,7 +1,11 @@
 language: ruby
+sudo: false
 rvm:
   - 1.9.3
   - 2.0.0
-  - 2.1.2
-  - 2.2.1
+  - 2.1.5
+  - 2.2.3
   - jruby
+gemfile:
+  - Gemfile.rails-3.2
+  - Gemfile.rails-4.2

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# 1.0.2
+
+  * Back port deep_stringify_keys! from Rails 4 #55 (thx @jivagoalves)
+  * Javascript escape implementation to prevent XSS #54 (thx @fabn)
+  * setEmail event for criteo #51 (thx @florianeck)
+
 # 1.0.1
 
   * [BUGFIX] Fix for adjusted_bounce_rate_timeouts #49 (thx @fabn)

data/Gemfile.rails-3.2

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem 'activesupport', '~> 3.2.0'
+gem 'actionpack', '~> 3.2.0'

data/Gemfile.rails-4.2

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem 'activesupport', '~> 4.2.0'
+gem 'actionpack', '~> 4.2.0'

data/README.md

@@ -21,6 +21,7 @@ in your application. It's easy to add your own [custom handlers](#custom-handler
 but to get you started we're shipping support for the following services out of the box:
 
 * [Google Analytics](#google-analytics)
+* [Google Adwords Conversion](#google-adwords-conversion)
 * [Google Tag Manager](#google-tag-manager)
 * [Facebook](#facebook)
 * [Visual Website Optimizer (VWO)](#visual-website-optimizer-vwo)
@@ -187,8 +188,44 @@ take care of the plugin on your own.
   config.middleware.use(Rack::Tracker) do
     handler :google_analytics, { tracker: 'U-XXXXX-Y', ecommerce: true }
   end
-````
+```
+
+### Google Adwords Conversion
 
+You can configure the handler with default options:
+```ruby
+config.middleware.use(Rack::Tracker) do
+  handler :google_adwords_conversion, { id: 123456,
+                                        language: "en",
+                                        format: "3",
+                                        color: "ffffff",
+                                        label: "Conversion label",
+                                        currency: "USD" }
+end
+```
+
+To track adwords conversion from the server side just call the `tracker` method in your controller.
+```ruby
+  def show
+    tracker do |t|
+      t.google_adwords_conversion :conversion, { value: 10.0 }
+    end
+  end
+```
+
+You can also specify a different value from default options:
+```ruby
+  def show
+    tracker do |t|
+      t.google_adwords_conversion :conversion, { id: 123456,
+                                                 language: 'en',
+                                                 format: '3',
+                                                 color: 'ffffff',
+                                                 label: 'Conversion Label',
+                                                 value: 10.0 }
+    end
+  end
+```
 
 ### Google Tag Manager
 
@@ -198,7 +235,7 @@ Google Tag manager code snippet doesn't support any option other than the contai
   config.middleware.use(Rack::Tracker) do
     handler :google_tag_manager, { container: 'GTM-XXXXXX' }
   end
-````
+```
 
 #### Data Layer
 

data/lib/rack/tracker.rb

@@ -7,6 +7,7 @@ require "active_support/inflector"
 
 require "rack/tracker/version"
 require "rack/tracker/extensions"
+require "rack/tracker/javascript_helper"
 require 'rack/tracker/railtie' if defined?(Rails)
 require "rack/tracker/handler"
 require "rack/tracker/handler_delegator"
@@ -56,7 +57,12 @@ module Rack
 
     def inject(env, response)
       @handlers.each(env) do |handler|
-        response.gsub!(%r{</#{handler.position}>}, handler.render + "</#{handler.position}>")
+        # Sub! is enough, in well formed html there's only one head or body tag.
+        # Block syntax need to be used, otherwise backslashes in input will mess the output.
+        # @see http://stackoverflow.com/a/4149087/518204 and https://github.com/railslove/rack-tracker/issues/50
+        response.sub! %r{</#{handler.position}>} do |m|
+          handler.render << m.to_s
+        end
       end
       response
     end

data/lib/rack/tracker/extensions.rb

@@ -30,4 +30,35 @@ class Hash
     end
     self
   end
+
+  # NOTE Back ported from Rails 4 to 3
+  # Destructively convert all keys by using the block operation.
+  # This includes the keys from the root hash and from all
+  # nested hashes.
+  def deep_transform_keys!(&block)
+    _deep_transform_keys_in_object!(self, &block)
+  end unless method_defined? :deep_transform_keys!
+
+  def _deep_transform_keys_in_object!(object, &block)
+    case object
+    when Hash
+      object.keys.each do |key|
+        value = object.delete(key)
+        object[yield(key)] = _deep_transform_keys_in_object!(value, &block)
+      end
+      object
+    when Array
+      object.map! {|e| _deep_transform_keys_in_object!(e, &block)}
+    else
+      object
+    end
+  end unless method_defined? :_deep_transform_keys_in_object!
+
+  # NOTE Back ported from Rails 4 to 3
+  # Destructively convert all keys to strings.
+  # This includes the keys from the root hash and from all
+  # nested hashes.
+  def deep_stringify_keys!
+    deep_transform_keys!{ |key| key.to_s }
+  end unless method_defined? :deep_stringify_keys!
 end

data/lib/rack/tracker/google_adwords_conversion/template/google_adwords_conversion.erb

@@ -2,8 +2,8 @@
 
   <script type="text/javascript">
   /* <![CDATA[ */
-  <% ev.to_h.each do |attr_name, attr_value| %>
-    var google_conversion_<%= attr_name %> = <%= attr_name == :id ? attr_value : "'#{attr_value}'" %>;
+  <% options.merge(ev.to_h).each do |attr_name, attr_value| %>
+    var google_conversion_<%= attr_name %> = <%= [:id, :value].include?(attr_name) ? attr_value : "'#{attr_value}'" %>;
   <% end %>
   var google_remarketing_only = false;
   /* ]]> */
@@ -11,7 +11,7 @@
   <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"></script>
   <noscript>
     <div style="display:inline;">
-      <img height="1" width="1" style="border-style:none;" alt="" src="//www.googleadservices.com/pagead/conversion/<%= ev.id %>/?label=<%= URI.escape(ev.label) %>&amp;guid=ON&amp;script=0"/>
+      <img height="1" width="1" style="border-style:none;" alt="" src="//www.googleadservices.com/pagead/conversion/<%= ev.id || options[:id] %>/?label=<%= URI.escape(ev.label || options[:label]) %>&amp;guid=ON&amp;script=0"/>
     </div>
   </noscript>
 

data/lib/rack/tracker/google_analytics/google_analytics.rb

@@ -47,8 +47,9 @@ class Rack::Tracker::GoogleAnalytics < Rack::Tracker::Handler
   end
 
   class Parameter < OpenStruct
+    include Rack::Tracker::JavaScriptHelper
     def write
-      ["set", self.to_h.to_a].flatten.map {|s| "'#{s}'" }.join(', ')
+      ['set', self.to_h.to_a].flatten.map { |v| %Q{'#{j(v)}'} }.join ', '
     end
   end
 

data/lib/rack/tracker/handler.rb

@@ -5,6 +5,9 @@ class Rack::Tracker::Handler
   attr_accessor :options
   attr_accessor :env
 
+  # Allow javascript escaping in view templates
+  include Rack::Tracker::JavaScriptHelper
+
   def initialize(env, options = {})
     self.env = env
     self.options  = options

data/lib/rack/tracker/javascript_helper.rb

@@ -0,0 +1,34 @@
+# This module is extracted from Rails to provide reliable javascript escaping.
+#
+# @see https://github.com/rails/rails/blob/master/actionview/lib/action_view/helpers/javascript_helper.rb
+module Rack::Tracker::JavaScriptHelper
+
+  JS_ESCAPE_MAP = {
+      '\\' => '\\\\',
+      '</' => '<\/',
+      "\r\n" => '\n',
+      "\n" => '\n',
+      "\r" => '\n',
+      '"' => '\\"',
+      "'" => "\\'"
+  }
+
+  JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '&#x2028;'
+  JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] = '&#x2029;'
+
+  # Escapes carriage returns and single and double quotes for JavaScript segments.
+  #
+  # Also available through the alias j(). This is particularly helpful in JavaScript
+  # responses, like:
+  #
+  #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
+  def escape_javascript(javascript)
+    if javascript
+      javascript.to_s.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
+    else
+      ''
+    end
+  end
+
+  alias_method :j, :escape_javascript
+end

data/lib/rack/tracker/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Tracker
-    VERSION = '1.0.1'
+    VERSION = '1.0.2'
   end
 end

data/lib/rack/tracker/zanox/zanox.rb

@@ -3,7 +3,6 @@ class Rack::Tracker::Zanox < Rack::Tracker::Handler
   # name of the handler
   # everything after is passed as options
   class Mastertag < OpenStruct
-
     def write
       to_h.except(:id).map do |k,v|
         "var zx_#{k} = #{v.to_json};"
@@ -13,7 +12,6 @@ class Rack::Tracker::Zanox < Rack::Tracker::Handler
 
   class Lead < OpenStruct
     # Example: OrderID=[[DEFC-4321]]&CurrencySymbol=[[EUR]]&TotalPrice=[[23.40]]
-
     def write
       to_h.map do |k,v|
         "#{k.to_s.camelize}=[[#{v}]]"
@@ -21,13 +19,7 @@ class Rack::Tracker::Zanox < Rack::Tracker::Handler
     end
   end
 
-  class Sale < OpenStruct
-    def write
-      to_h.map do |k,v|
-        "#{k.to_s.camelize}=[[#{v}]]"
-      end.join('&')
-    end
-  end
+  Sale = Class.new(Lead)
 
   self.position = :body
 

data/spec/handler/google_adwords_conversion_spec.rb

@@ -35,4 +35,34 @@ RSpec.describe Rack::Tracker::GoogleAdwordsConversion do
     end
   end
 
+  describe 'with options' do
+    context 'when there are no params for the handler' do
+      let(:options) { { id: 123456,
+                        language: 'en',
+                        format: '3',
+                        color: 'ffffff',
+                        label: 'Conversion Label' } }
+      let(:env) do
+        {
+          'tracker' => {
+            'google_adwords_conversion' => [
+              { 'class_name' => 'Conversion', 'value' => '10.0' }
+            ]
+          }
+        }
+      end
+
+      subject { described_class.new(env, options).render }
+
+      it 'will show events by using default options' do
+        expect(subject).to match(%r{var google_conversion_id = 123456;})
+        expect(subject).to match(%r{var google_conversion_language = 'en';})
+        expect(subject).to match(%r{var google_conversion_format = '3';})
+        expect(subject).to match(%r{var google_conversion_color = 'ffffff';})
+        expect(subject).to match(%r{var google_conversion_label = 'Conversion Label';})
+        expect(subject).to match(%r{var google_conversion_value = 10.0;})
+        expect(subject).to match(%r{<img.*src=\"\/\/www.googleadservices.com\/pagead\/conversion\/123456\/\?label=Conversion%20Label&amp;guid=ON&amp;script=0\"/>})
+      end
+    end
+  end
 end

data/spec/integration/google_analytics_integration_spec.rb

@@ -29,4 +29,24 @@ RSpec.describe "Google Analytics Integration" do
      expect(page.find("body")).to have_content('ga("ecommerce:addItem",{"id":"1234","name":"Fluffy Pink Bunnies","sku":"DD23444","category":"Party Toys","price":"11.99","quantity":"1"})')
     end
   end
-end
+
+  describe 'values escaping' do
+    before do
+      setup_app(action: :google_analytics) do |tracker|
+        tracker.handler :google_analytics, { tracker: 'U-XXX-Y' }
+      end
+      visit '/'
+    end
+
+    it "will not mess up the html" do
+      expect(page.find('head')).to have_content('U-XXX-Y')
+      # Backslashes are also escaped, thus \' becomes in \\\' in output
+      expect(page.find('head')).to have_content %q{Some escaped \\\\\\'value}
+    end
+
+    it "automatically escape javascript in dimensions" do
+      expect(page.find('head')).to have_content('U-XXX-Y')
+      expect(page.find('head')).to have_content %q{Author\\'s name}
+    end
+  end
+end

data/spec/support/metal_controller.rb

@@ -34,6 +34,8 @@ class MetalController < ActionController::Metal
       t.google_analytics :ecommerce, { type: 'addTransaction', id: 1234, affiliation: 'Acme Clothing', revenue: 11.99, shipping: 5, tax: 1.29 }
       t.google_analytics :ecommerce, { type: 'addItem', id: 1234, name: 'Fluffy Pink Bunnies', sku: 'DD23444', category: 'Party Toys', price: 11.99, quantity: 1 }
       t.google_analytics :send, { type: 'event', category: 'button', action: 'click', label: 'nav-buttons', value: 'X' }
+      t.google_analytics :parameter, dimension1: %q{Some escaped \\'value}
+      t.google_analytics :parameter, dimension2: %q{Author's name}
     end
     render "metal/index"
   end

data/spec/tracker/javascript_helper_spec.rb

@@ -0,0 +1,51 @@
+RSpec.describe Rack::Tracker do
+
+  let(:escaper) do
+    Class.new { include Rack::Tracker::JavaScriptHelper }.new
+  end
+
+  subject { escaper }
+
+  # Instance methods are mixed in
+  it { should respond_to :escape_javascript }
+  it { should respond_to :j }
+
+  context 'with plain values' do
+    it 'should return untouched values' do
+      expect(escaper.j('Hello')).to eq 'Hello'
+    end
+  end
+
+  # The following is a RSpec port of original rails's test suite for #j method.
+  # https://github.com/rails/rails/blob/master/actionview/test/template/javascript_helper_test.rb
+  describe '#escape_javascript' do
+
+    # Simple matcher to shorten specs
+    matcher :escape do |value|
+
+      match do |actual|
+        raise ArgumentError, 'macther syntax is escape("some value").to("expected value")' unless @expected
+        actual.j(value) == @expected
+      end
+
+      # Syntactic sugar for matcher
+      chain :to do |to|
+        @expected = to
+        self
+      end
+    end
+
+    it { should escape(nil).to '' }
+    it { should escape(%(This "thing" is really\n netos')).to %(This \\"thing\\" is really\\n netos\\') }
+    it { should escape(%(backslash\\test)).to %(backslash\\\\test) }
+    it { should escape(%(dont </close> tags)).to %(dont <\\/close> tags) }
+    it { should escape(%(unicode \342\200\250 newline).force_encoding(Encoding::UTF_8).encode!).to %(unicode &#x2028; newline) }
+    it { should escape(%(unicode \342\200\251 newline).force_encoding(Encoding::UTF_8).encode!).to %(unicode &#x2029; newline) }
+
+    it 'works with symbols' do
+      expect(subject).to escape(:dimension1).to 'dimension1'
+    end
+
+  end
+
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-tracker
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Lars Brillert
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-10 00:00:00.000000000 Z
+date: 2015-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -151,6 +151,8 @@ files:
 - ".travis.yml"
 - CHANGELOG.md
 - Gemfile
+- Gemfile.rails-3.2
+- Gemfile.rails-4.2
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -171,6 +173,7 @@ files:
 - lib/rack/tracker/google_tag_manager/template/google_tag_manager.erb
 - lib/rack/tracker/handler.rb
 - lib/rack/tracker/handler_delegator.rb
+- lib/rack/tracker/javascript_helper.rb
 - lib/rack/tracker/railtie.rb
 - lib/rack/tracker/version.rb
 - lib/rack/tracker/vwo/template/vwo.erb
@@ -207,6 +210,7 @@ files:
 - spec/tracker/controller_spec.rb
 - spec/tracker/handler_delegator_spec.rb
 - spec/tracker/handler_set_spec.rb
+- spec/tracker/javascript_helper_spec.rb
 - spec/tracker/tracker_spec.rb
 homepage: https://github.com/railslove/rack-tracker
 licenses:
@@ -228,7 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Tracking made easy
@@ -262,4 +266,5 @@ test_files:
 - spec/tracker/controller_spec.rb
 - spec/tracker/handler_delegator_spec.rb
 - spec/tracker/handler_set_spec.rb
+- spec/tracker/javascript_helper_spec.rb
 - spec/tracker/tracker_spec.rb