Vulnerability in EPiServer.Forms
When Find returns search results, the resulting links include a unique query/tracking code in the URL:
I have not yet deployed Google Analytics to my site, but I imagine this will wreck my analytics reports. Instead of a pageview for http://domain.se/test-page/, the above URL will create a unique pageview for the above URL, I suppose. Is there anybody that has already tested this?
In order to avoid this, is there any way to remove this tracking query before the page is loaded? I suppose another option would be to cleanse the data that Google Analytics receives, but I want to first find out if I can tackle this within Episerver.
It's an ugly looking link and the user's IP address (!) is in the link which is not good if you have third-party tracking (e.g. GA) and would like to anonymize IPs. GA has anonymize IP support for their standard functions but you will need additional setup when IP is part of querystring.
These parameters are extracted from URL, stored in cookies and sent back to the server for tracking later. You can find more details in this blog post.
After clicking on search hit link user navigates to original URL, like http://domain.se/test-page/. Is it still a problem when using GA?
These are links to enable click tracking if you have enabled statistics in Episerver Find (tracking your queries). I recommend reading the following blog post to understand how it works (out of the box):http://www.patrickvankleef.com/2015/11/22/ascend15-find-advanced-developer-scenarios/
To handle it your self, see:
Thank you Dmytro Duk, after reading your blogpost I understand more of the inner workings of Find track. I guess there is no problem after all. It is a good thing the querystrings are extracted. I now understand the querystrings won't ruin the GA reports with these queries nor send potensial "sensitive" IPs.
Actually, Dmytro, the user is not redirected to the original (or "clean") URL. Neither on Episerver.com, e.g. http://www.episerver.com/Search/?searchQuery=test, nor on the site I am responsible for. Is this a changed behavior since you wrote your blog in 2014 maybe?
And as Hovard points out, this is a huge violation of the GA ToS. I'm using GA, so now I've used Exclude URL Query Parameters to remove all this "junk".
I'm thinking Episerver should give its users and developers more of a heads-up that IP addresses are saved in query strings and thus potentially sent and propagated to all kinds of tracking tools...
David, strange, it works for me. But you may suffer from a problem I encoutered erlier. We had an webb filter that blocked request to dl.episerver.net. So check in you development console for js errors or failed request to dl.episerver.net.
@David F., I don't see any issues when clicking on search hits on http://www.episerver.com/Search/?searchQuery=test, pages are being opened with original URLs. It is not a redirect, Find script restores the original URL for navigation in a moment when user clicks on search hit.
It looks like Find script does not execute in your case (on your environment?).
Could you check if native.history.js and find.js scripts are successfully loaded in your browser in correct order from CDN? They should have URLs like these: