Skip to content

Syntax error caused by too eager preg_replace call for adding the noscript tag #160

New issue
New issue
Open
Open
Syntax error caused by too eager preg_replace call for adding the noscript tag#160
Labels
bugrepro needed
@jordanvermeir

Description

@jordanvermeir
jordanvermeir
opened on Aug 4, 2023

Describe the bug
Using the Zendesk widget on a page protected by CSRF-Protector-php causes a syntax error: "Uncaught SyntaxError: Invalid or unexpected token". The widget adds an iframe to the page using javascript. The javascript code builds up the content of the iframe, which contains a <body> tag.

In the csrfprotector class, a <noscript> tag is added to the <body> tag of the document . This is achieved using the preg_replace() function. As a side-effect this also adds the noscript tag to the javascript code that builds up the iframe content.

To Reproduce
Add the Zendesk widget to a page and reload the page.

<script>
  /*<![CDATA[*/
  window.zEmbed || function(e, t) {
    var n, o, d, i, s, a = [], r = document.createElement("iframe");
    window.zEmbed = function() {
      a.push(arguments)
    }, window.zE = window.zE || window.zEmbed, r.src = "javascript:false", r.title = "", r.role = "presentation", (r.frameElement || r).style.cssText = "display: none", d = document.getElementsByTagName("script"), d = d[d.length - 1], d.parentNode.insertBefore(r, d), i = r.contentWindow, s = i.document;
    try {
      o = s
    } catch (c) {
      n = document.domain, r.src = 'javascript:var d=document.open();d.domain="' + n + '";void(0);', o = s
    }
    o.open()._l = function() {
      var o = this.createElement("script");
      n && (this.domain = n), o.id = "js-iframe-async", o.src = e, this.t = +new Date, this.zendeskHost = t, this.zEQueue = a, this.body.appendChild(o)
    }, o.write('<body onload="document._l();">'), o.close()
  }("https://assets.zendesk.com/embeddable_framework/main.js", "mydomain.zendesk.com");
  /*]]>*/
</script>

** Error logs **
Uncaught SyntaxError: Invalid or unexpected token

The altered javascript code causing the syntax error:
o.write('<body onload="document._l();"> <noscript>This site attempts to protect users ag...

** Proposed solution **
Set the limit parameter to 1 in the preg_replace() call that adds the <noscript> tag (line 502). This would cause the <noscript> tag to only be added to the first <body> tag in the document, which should be the actual page's <body> tag.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugrepro needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions