[英]Dynamically including Google Analytics tracking code into asp.net page
There is a request on a project which maps the following case: 一个项目的请求映射了以下情况:
The client can save Google Analytics tracking code using a page. 客户端可以使用页面保存Google Analytics(分析)跟踪代码。 This code then, is inserted at runtime into the master's page website dynamically. 然后,此代码在运行时动态地插入到母版页网站中。
The part of inserting the script into the master's page was an easy one. 将脚本插入母版页的过程很简单。 One thing that I'm struggling with is the requirement of creating a page where the user can past the Google Analytics javascript code and save it to a sql server table. 我正在努力解决的一件事是需要创建一个页面,用户可以在该页面上粘贴Google Analytics(分析)JavaScript代码并将其保存到sql服务器表中。
Not the page itself but the security concerns. 不是页面本身,而是安全问题。 If I let the user to input any javascript code, save it to a database, then this code is inject at runtime into the master's page, I believe there's a HUGE security breach right there. 如果我让用户输入任何JavaScript代码,然后将其保存到数据库中,那么该代码将在运行时注入到母版页中,我相信那儿确实存在巨大的安全漏洞。
My question is, how can I implement this with security but still let the freedom for the user to insert the script? 我的问题是,如何在实现安全性的同时又让用户自由插入脚本? Is there a way to check if the script inserted is a real google analytics and not some malicious script? 有没有办法检查所插入的脚本是否是真实的Google Analytics(分析)而不是某些恶意脚本? I have done a lot of research but could not find anything usefull, so I believe SO is my last option. 我做了很多研究,但是找不到任何有用的东西,因此我相信SO是我的最后选择。
I would think your best bet is to always keep the GA template, only allowing the "administrator" to pass in the GA account variables, and any code that would go in the "middle" - for example, event tracking code, etc. 我认为您最好的选择是始终保留GA模板,只允许“管理员”传递GA帐户变量以及“中间”的任何代码-例如事件跟踪代码等。
That being said.. I understand your concerns.. and they are valid.. but how often will this code change? 话虽如此..我理解您的担心..并且它们是有效的..但是此代码多久更改一次? And since it's code, shouldn't it be tested prior to implementation? 而且由于它是代码,因此在执行之前是否应该对其进行测试? Perhaps the best methodology is to have any of these requests go through the development team, and source control, and QA, and then production release? 也许最好的方法是让所有这些请求都经过开发团队,源代码控制,质量保证以及生产发布? In that regard, you can just "inject" this code from a local txt file, etc, so it's still somewhat plug and play, but with some source management around it... 在这方面,您可以只从本地txt文件等中“注入”此代码,因此它仍然可以即插即用,但是周围有一些源代码管理...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.