Merge pull request #14 from inpsyde/mdr-218/escape-noscript-url

IFRAME with invalid URL googletagmanager in SRC attribute

composer.json

@@ -52,5 +52,11 @@
     },
     "suggest": {
         "inpsyde/wonolog": "You may want to install Wonolog to enable logging for this package."
+    },
+    "config": {
+        "allow-plugins": {
+            "inpsyde/composer-assets-compiler": true,
+            "dealerdirect/phpcodesniffer-composer-installer": true
+        }
     }
 }

src/Renderer/NoscriptTagRenderer.php

@@ -97,7 +97,7 @@ static function (string $url, DataCollectorInterface $data): string {
 
         $iframe = sprintf(
             '<iframe src="%s" height="0" width="0" style="%s"></iframe>',
-            $url,
+            \esc_url($url),
             'display:none;visibility:hidden'
         );
 

tests/phpunit/Unit/Renderer/NoscriptTagRendererTest.php

@@ -57,6 +57,11 @@ public function testRender(): void
             ->with($expected_data, $first_url)
             ->andReturn($expected_url);
 
+        Functions\expect('esc_url')
+            ->once()
+            ->with($expected_url)
+            ->andReturn($expected_url);
+
         ob_start();
         $testee->render();
         $output = ob_get_clean();
@@ -144,6 +149,7 @@ public function testRenderAtBodyStart(): void
             ->andReturn([]);
 
         Functions\stubs(['add_query_arg' => '']);
+        Functions\stubs(['esc_url' => '']);
 
         $testee = new NoscriptTagRenderer($dataLayer);
         ob_start();