I’m working on a WordPress site with some other developers and the code they wrote to set upcustom variables for Google Analytics, via the _setCustomVar
, uses html_entity_decode
. They pointed to the well known and much used Yoast plugin which uses a similar technique. I can’t figure out why you would use it that way though.
At no point (that I can see) does the string get encoded, so the function doesn’t do anything. WordPress delivers whole strings, even with accents on them, never anything encoded, so there aren’t rogue encoded characters to worry about. In fact, the one thing you don’t want to do is send Google Analytics a mess of HTML, right?
I’ve changed it because I’m pretty sure that what using html_entity_decode
doesn’t do is remove single quotes, which in a JS script where strings are contained by single quotes, means that any variable with an apostrophe just breaks Google Analytics tracking entirely.
Instead, I’m cleaning strings using a strip_tags
and esc_js
(a WordPress function).
I’m a little concerned because the linked script is very commonly used. It seems like I must be wrong about something and I don’t want to screw up my own script because of it.
What am I missing?
The answer seems to be that Yoast uses that code as a ‘just in case’ measure for strings that might have encoded characters in them. It still doesn’t seem to take care of quote marks though, which is a pretty big deal.
Here’s the code I wrote to solve all the issues: https://gist.github.com/AramZS/8930496