To get around XSS you can use GET requests to your logging script, sending the data as arguments by one of two methods (maybe there are others?):

   * one way is to just "get" an Image by setting an image's SRC to
     your logging script.
   * another is to have an inline IFRAME where you also change its SRC
     to your logging script's URL.

You might have to have some built-in delay to let the logging script have time to actually log the event before the form gets submitted... I'm thinking using setTimeout() in javascript.


Yitzchak Schaffer said the following on 23/11/2009 06:01 p.m.:
Alejandro Garza Gonzalez wrote:
1) You *can* use GA and some Javascript embedded in your III pages to log "events" (as they´re called in GA lingo). The javascript (depending on your coding wizardry level) could track anything from hovers over elements, form submission, "next page" events, etc.

Hi Alejandro,

Thanks for a great suggestion. I tried poking around at it; it seems to me like Events aren't built for what I'm really interested in doing, namely systematic exploration and analysis of the search sessions. IOW, let's say a form looks like


It looks like I could log this as three separate events, or one; but either way, how would one analyze this? I'm not interested (solely) in how many times this particular query was entered.

I started looking at ways to funnel the params into my own tracking script, the prototype of which just writes a line to a text file with a JSON serialization of the form data; but I'm not a JS ninja, so I'm still trying to figure out how to get around the XSS problems.

Ruddy III turnkey...

_________________ ___ _ _ _ _ _ _ _
*Ing. Alejandro Garza González*
Coordinación de proyectos y desarrollo de sistemas
Centro in...@te, Centro para la Innovación en Tecnología y Educación
Tecnológico de Monterrey

Tel. +52 [81] 8358.2000, Ext. 6751
Enlace intercampus: 80.689.6751, 80.788.6106

El contenido de este mensaje de datos no se considera oferta, propuesta o acuerdo, sino hasta que sea confirmado en documento por escrito que contenga la firma autógrafa del apoderado legal del ITESM. El contenido de este mensaje de datos es confidencial y se entiende dirigido y para uso exclusivo del destinatario, por lo que no podrá distribuirse y/o difundirse por ningún medio sin la previa autorización del emisor original. Si usted no es el destinatario, se le prohíbe su utilización total o parcial para cualquier fin.

The content of this data transmission must not be considered an offer, proposal, understanding or agreement unless it is confirmed in a document signed by a legal representative of ITESM. The content of this data transmission is confidential and is intended to be delivered only to the addressees. Therefore, it shall not be distributed and/or disclosed through any means without the authorization of the original sender. If you are not the addressee, you are forbidden from using it, either totally or partially, for any purpose.

Reply via email to