Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Syntax error caused by too eager preg_replace call for adding the noscript tag #160

Open
jordanvermeir opened this issue Aug 4, 2023 · 0 comments

Comments

@jordanvermeir
Copy link

jordanvermeir commented Aug 4, 2023

Describe the bug
Using the Zendesk widget on a page protected by CSRF-Protector-php causes a syntax error: "Uncaught SyntaxError: Invalid or unexpected token". The widget adds an iframe to the page using javascript. The javascript code builds up the content of the iframe, which contains a <body> tag.

In the csrfprotector class, a <noscript> tag is added to the <body> tag of the document . This is achieved using the preg_replace() function. As a side-effect this also adds the noscript tag to the javascript code that builds up the iframe content.

To Reproduce
Add the Zendesk widget to a page and reload the page.

<script>
  /*<![CDATA[*/
  window.zEmbed || function(e, t) {
    var n, o, d, i, s, a = [], r = document.createElement("iframe");
    window.zEmbed = function() {
      a.push(arguments)
    }, window.zE = window.zE || window.zEmbed, r.src = "javascript:false", r.title = "", r.role = "presentation", (r.frameElement || r).style.cssText = "display: none", d = document.getElementsByTagName("script"), d = d[d.length - 1], d.parentNode.insertBefore(r, d), i = r.contentWindow, s = i.document;
    try {
      o = s
    } catch (c) {
      n = document.domain, r.src = 'javascript:var d=document.open();d.domain="' + n + '";void(0);', o = s
    }
    o.open()._l = function() {
      var o = this.createElement("script");
      n && (this.domain = n), o.id = "js-iframe-async", o.src = e, this.t = +new Date, this.zendeskHost = t, this.zEQueue = a, this.body.appendChild(o)
    }, o.write('<body onload="document._l();">'), o.close()
  }("https://assets.zendesk.com/embeddable_framework/main.js", "mydomain.zendesk.com");
  /*]]>*/
</script>

** Error logs **
Uncaught SyntaxError: Invalid or unexpected token

The altered javascript code causing the syntax error:
o.write('<body onload="document._l();"> <noscript>This site attempts to protect users ag...

** Proposed solution **
Set the limit parameter to 1 in the preg_replace() call that adds the <noscript> tag (line 502). This would cause the <noscript> tag to only be added to the first <body> tag in the document, which should be the actual page's <body> tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant