You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Using the Zendesk widget on a page protected by CSRF-Protector-php causes a syntax error: "Uncaught SyntaxError: Invalid or unexpected token". The widget adds an iframe to the page using javascript. The javascript code builds up the content of the iframe, which contains a <body> tag.
In the csrfprotector class, a <noscript> tag is added to the <body> tag of the document . This is achieved using the preg_replace() function. As a side-effect this also adds the noscript tag to the javascript code that builds up the iframe content.
To Reproduce
Add the Zendesk widget to a page and reload the page.
<script>
/*<![CDATA[*/
window.zEmbed || function(e, t) {
var n, o, d, i, s, a = [], r = document.createElement("iframe");
window.zEmbed = function() {
a.push(arguments)
}, window.zE = window.zE || window.zEmbed, r.src = "javascript:false", r.title = "", r.role = "presentation", (r.frameElement || r).style.cssText = "display: none", d = document.getElementsByTagName("script"), d = d[d.length - 1], d.parentNode.insertBefore(r, d), i = r.contentWindow, s = i.document;
try {
o = s
} catch (c) {
n = document.domain, r.src = 'javascript:var d=document.open();d.domain="' + n + '";void(0);', o = s
}
o.open()._l = function() {
var o = this.createElement("script");
n && (this.domain = n), o.id = "js-iframe-async", o.src = e, this.t = +new Date, this.zendeskHost = t, this.zEQueue = a, this.body.appendChild(o)
}, o.write('<body onload="document._l();">'), o.close()
}("https://assets.zendesk.com/embeddable_framework/main.js", "mydomain.zendesk.com");
/*]]>*/
</script>
** Error logs **
Uncaught SyntaxError: Invalid or unexpected token
The altered javascript code causing the syntax error: o.write('<body onload="document._l();"> <noscript>This site attempts to protect users ag...
** Proposed solution **
Set the limit parameter to 1 in the preg_replace() call that adds the <noscript> tag (line 502). This would cause the <noscript> tag to only be added to the first <body> tag in the document, which should be the actual page's <body> tag.
The text was updated successfully, but these errors were encountered:
Describe the bug
Using the Zendesk widget on a page protected by CSRF-Protector-php causes a syntax error: "Uncaught SyntaxError: Invalid or unexpected token". The widget adds an iframe to the page using javascript. The javascript code builds up the content of the iframe, which contains a
<body>
tag.In the csrfprotector class, a
<noscript>
tag is added to the<body>
tag of the document . This is achieved using thepreg_replace()
function. As a side-effect this also adds the noscript tag to the javascript code that builds up the iframe content.To Reproduce
Add the Zendesk widget to a page and reload the page.
** Error logs **
Uncaught SyntaxError: Invalid or unexpected token
The altered javascript code causing the syntax error:
o.write('<body onload="document._l();"> <noscript>This site attempts to protect users ag...
** Proposed solution **
Set the limit parameter to 1 in the preg_replace() call that adds the
<noscript>
tag (line 502). This would cause the<noscript>
tag to only be added to the first<body>
tag in the document, which should be the actual page's<body>
tag.The text was updated successfully, but these errors were encountered: