Javscriptencode Url Path for use in Google Analytics

Question

I try to pass the parameter _trackPageview to Google Analytics.

I now use

_gaq.push(['_trackPageview', <%=AntiXss.JavaScriptEncode(Url.RequestContext.HttpContext.Request.Path ) %> ])

The resulting Hml for "/Home/Index" is:

  _gaq.push(['_trackPageview', '\x2fHome\x2fIndex' ]);

How should I handle the forward slash? Will "\x2" be displayed ok in Google Analytics? Or Is it save to replace \x2 with forward slash?

_gaq.push(['_trackPageview', <%=AntiXss.JavaScriptEncode(Url.RequestContext.HttpContext.Request.Path).Replace("\x2","/") %> ])

EDIT:

I cant use _gaq.push(['_trackPageview']); without the path parameter because the original path contains the language which I dont want to track ( /de/home/index needs to get tracked as /home/index )

Answer 1

You don't actually need the 2nd argument for _trackPageview. By default it will record the current url (including query params). That url, on any given page is assembled/taken from document.location.

Other solutions:

• The replace solution you already mentioned is actually good enough.
• Leave the \x2f in the path, it isn't hurting anything other than your eyes/brain.
• Could you do this in pure javascript by using document.location or document.location.pathname? I'd guess the query or hash part of the URL is the only thing you'd need worry about for an XSS attack.
• Escape the path instead of encoding it by wrapping it in a string and escaping quotes. You could also just strip any quote marks.
• Don't encode the path, it most likely is fine (unless it is un-sanitized and from you user data); rather just encode the query and hash.