Merge pull request #40 from webmatch/hotfix/WBMSWPLUG-66-fix-xss

[HOTFIX][WBMSWPLUG-66] fix xss in datalayer

Author: wbm-mkopp

CHANGELOG.md

@@ -1,3 +1,6 @@
+## [3.5.1]
+- Fix XSS security breach over site search term
+
 ## [3.5.0]
 - Add product click tracking support
 

Services/TagManagerVariables.php

@@ -173,15 +173,21 @@ public function fillValues($dataLayer)
      */
     public function prependDataLayer($source, $prettyPrint = false)
     {
+        $variables = $this->getVariables();
+
+        array_walk_recursive($variables, static function (&$item) {
+            $item = htmlspecialchars($item);
+        });
+
         return sprintf(
             '%s%s%s%s',
             '<script>',
             sprintf(
                 'window.dataLayer.push(%s);',
-                json_encode(
-                    $this->getVariables(),
-                    ($prettyPrint) ? JSON_PRETTY_PRINT : null
-                )
+                    json_encode(
+                        $variables,
+                        ($prettyPrint) ? JSON_PRETTY_PRINT : null
+                    )
             ),
             '</script>',
             $source

plugin.xml

@@ -3,11 +3,16 @@
     <label lang="de">Tag Manager</label>
     <label lang="en">Tag Manager</label>
 
-    <version>3.5.0</version>
+    <version>3.5.1</version>
     <link>http://www.webmatch.de</link>
     <author>Webmatch GmbH</author>
     <compatibility minVersion="5.6.3" />
 
+    <changelog version="3.5.1">
+        <changes lang="de">Behebt XSS Sicherheitslücke über den Suchbegriff auf der Suchseite</changes>
+        <changes lang="en">Fix XSS security breach over site search term</changes>
+    </changelog>
+
     <changelog version="3.5.0">
         <changes lang="de">Hinzufügen der Möglichkeit des tracken von Produktklicks</changes>
         <changes lang="en">Add possibility to track product clicks</changes>