Over the last couple of days I noticed that one of the searches bringing people to my site wasn’t showing up in the widget on my dashboard. After going to the Google Analytics page I discovered that the search term was <!– IE 8 quirks mode please –> and it wasn’t showing up because that’s what an HTML comment looks like.
I poked around the Google Analyticator code for a little while and discovered that the data was retrieved from Google and then just included in the output of the dashboard page in WordPress. This could lead to something as simple as search terms not showing up, or turning all of the text after a certain point bold (if a search term was <strong> for instance), or it could lead to particularly nasty people crafting a top search result containing a <script> tag and from there they could do some fairly nasty stuff.
I’ve created a very simple little patch to solve this problem. It basically involves running the data through PHP’s htmlspecialchars() function before it’s printed to the screen.
Google Analyticator 5.2.1 has been released to address this issue. Upgrade your installation! 🙂