Allowing Custom HTML Tags

[hridaykedia]

Product Description

Custom HTML tags were blocked and could not be run. Require custom html tags for a few use cases. This change allows custom html tags from gtm to be triggered.

Technical Summary

Before:

const BLOCKED_TAG_TYPES = ['jsm', 'html', 'img', 'j', 'k'];

After:

const BLOCKED_TAG_TYPES = ['img', 'k'];

Safety Assurance

The change is low-risk: it only modifies the list of disallowed tag types and does not alter any parsing or rendering logic.

Verified locally that removing html, j and jsm (html, javascript variable and custom javascript variable) from the blocked list enables expected rendering of custom tags without introducing new runtime errors.

Safety story

Automated test coverage

QA Plan

Labels & Review

• The set of people pinged as reviewers is appropriate for the level of risk of the change

[coderabbitai]

Walkthrough

This pull request updates GTM (Google Tag Manager) tag filtering configuration constants in commcare_connect/static/js/gtx.js. The ALLOWED_TAG_TYPES constant is expanded to include 'html', 'j', and 'jsm' (previously restricted), while BLOCKED_TAG_TYPES is narrowed to only ['img', 'k'], removing restrictions on the three tag types now in the allowlist. No control flow or error handling logic is modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Key consideration: This is a straightforward configuration change with low code complexity, but requires verification that the GTM tag type allowlist/blocklist modifications are intentional and will not introduce unintended tag execution behavior
• The change reverses the filtering logic for 'html', 'j', and 'jsm' tags—verify this aligns with intended GTM behavior and security requirements
• Confirm the narrowed blocklist (only 'img' and 'k') does not regress any existing tag filtering safeguards

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly reflects the main change: allowing custom HTML tags by removing them from the blocked list.
Description check	✅ Passed	The description is clearly related to the changeset, explaining why custom HTML tags are being allowed and how the BLOCKED_TAG_TYPES list was modified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64c4f54 and 93538eb.

📒 Files selected for processing (1)

• commcare_connect/static/js/gtx.js (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify security controls before allowing JavaScript execution via GTM.

Allowing 'html', 'j', and 'jsm' tag types enables arbitrary JavaScript execution through Google Tag Manager. While this may be intentional for GTM functionality, it introduces potential security risks:

1. XSS vector: If GTM account access is compromised or improperly controlled, malicious actors could inject executable code.
2. Authorization gaps: Without proper tag approval workflows, unauthorized tags could be deployed.
3. CSP conflicts: Custom HTML/JavaScript tags may conflict with Content Security Policy directives.

Please verify:

• GTM account access is restricted to authorized personnel only
• A tag review/approval process exists before tags go live
• Content Security Policy allows inline scripts from GTM or uses appropriate nonces
• Security team has reviewed this change

---

🏁 Script executed:

#!/bin/bash
# Description: Check if CSP configuration exists and verify its compatibility with GTM custom tags

# Search for Content-Security-Policy headers or meta tags in templates/config
echo "=== Checking for CSP configuration ==="
rg -n -C3 "Content-Security-Policy" --type html --type py

echo -e "\n=== Checking for GTM-related CSP directives ==="
rg -n -C3 "(script-src|unsafe-inline|googletagmanager)" --type html --type py

echo -e "\n=== Checking for security middleware or settings ==="
rg -n -C3 "(CSP_|SECURE_|SecurityMiddleware)" --type py

Length of output: 4011

---

---

🏁 Script executed:

#!/bin/bash
# Description: Analyze GTM implementation details and access controls

echo "=== Checking gtx.js full content ==="
cat commcare_connect/static/js/gtx.js

echo -e "\n=== Searching for GTM account ID or configuration ==="
rg -n "GTM-|googletagmanager|gtag" --type js --type html --type py

echo -e "\n=== Searching for tag approval or review process documentation ==="
rg -n -C3 "(tag.*review|tag.*approval|gtm.*access|gtm.*permission)" --type md --type py --type txt -i

echo -e "\n=== Checking for environment-based GTM configuration ==="
rg -n "GTM|gtx\|googletagmanager" config/ --type py

Length of output: 2300

---

🏁 Script executed:

#!/bin/bash
# Description: Analyze GTM implementation details and access controls

echo "=== Checking gtx.js full content ==="
cat commcare_connect/static/js/gtx.js

echo -e "\n=== Searching for GTM account ID or configuration ==="
rg -n "GTM-|googletagmanager|gtag" --type js --type html --type py

echo -e "\n=== Searching for tag approval or review process documentation ==="
rg -n -C3 "(tag.*review|tag.*approval|gtm.*access|gtm.*permission)" --type md --type py --type txt -i

echo -e "\n=== Checking for environment-based GTM configuration ==="
rg -n "GTM|gtx\|googletagmanager" config/ --type py

Length of output: 2300

---

---

🏁 Script executed:

#!/bin/bash
# Description: Check for deployment safeguards and documentation

echo "=== Checking for deployment/CI configuration ==="
fd -e yml -e yaml -e json | head -20 | xargs grep -l "gtm\|GTM" 2>/dev/null || echo "No GTM in CI config found"

echo -e "\n=== Checking README for GTM guidance ==="
fd -e md | xargs grep -l -i "gtm\|google tag manager" 2>/dev/null || echo "No GTM in READMEs"

echo -e "\n=== Checking for CONTRIBUTING or SECURITY docs ==="
ls -la | grep -i "CONTRIBUTING\|SECURITY\|ARCHITECTURE"

echo -e "\n=== Checking for any .env or secret management ==="
rg -n "gtm" --type env --type py --type md -i | head -20

Length of output: 266

---

🏁 Script executed:

#!/bin/bash
# Description: Check for deployment safeguards and documentation

echo "=== Checking for deployment/CI configuration ==="
fd -e yml -e yaml -e json | head -20 | xargs grep -l "gtm\|GTM" 2>/dev/null || echo "No GTM in CI config found"

echo -e "\n=== Checking README for GTM guidance ==="
fd -e md | xargs grep -l -i "gtm\|google tag manager" 2>/dev/null || echo "No GTM in READMEs"

echo -e "\n=== Checking for CONTRIBUTING or SECURITY docs ==="
ls -la | grep -i "CONTRIBUTING\|SECURITY\|ARCHITECTURE"

echo -e "\n=== Checking for any .env or secret management ==="
rg -n "gtm" --type env --type py --type md -i | head -20

Length of output: 266

---

Implement Content Security Policy and document GTM security controls.

Verification confirms the security concerns are valid: the change enables arbitrary JavaScript execution via GTM without visible compensating controls:

1. No CSP found: Codebase has no Content-Security-Policy headers or directives restricting script sources.
2. No access control documentation: No documented GTM account permissions or deployment safeguards.
3. No tag approval workflow: No evidence of a review/approval process for GTM configuration changes.
4. Client-side allowlist insufficient: The allowlist/blocklist in gtx.js cannot prevent GTM account compromise.

Required actions:

• Add CSP with appropriate script-src directive or nonce for GTM
• Document GTM account access controls and who can manage tags
• Document the tag review/approval process before deployment
• Consider adding deployment safeguards in CI/CD for GTM configuration changes

🤖 Prompt for AI Agents

In commcare_connect/static/js/gtx.js around lines 3 to 4, the current
client-side allowlist/blocklist is insufficient to mitigate arbitrary GTM JS
execution; add server-side and operational controls: implement and configure a
Content-Security-Policy header (script-src with trusted origins and/or nonces)
at the application/webserver level to constrain GTM script execution, remove
reliance on client-only allowlists for security decisions, add/update project
documentation describing GTM account ownership and least-privilege access
controls, publish a formal tag review/approval workflow (who reviews, how
changes are approved and audited) and integrate CI/CD safeguards (e.g.,
automated checks, required approvals, or blocked deploys if GTM config changes
are detected) to prevent unauthorized tag deployment.

[calellowitz]

In general the code change looks fine, but I have a few questions.

What is causing us to need to do this? What are using custom html tags for?

Is there a reason these were blocked in the first place? It sounds like it might be a security thing. Is it safe to remove from that list, or are there alternative approaches that would allow us to leave them in the blocked list? I noted that HQ blocks them as well.

[hridaykedia]

In general the code change looks fine, but I have a few questions.

What is causing us to need to do this? What are using custom html tags for?

Is there a reason these were blocked in the first place? It sounds like it might be a security thing. Is it safe to remove from that list, or are there alternative approaches that would allow us to leave them in the blocked list? I noted that HQ blocks them as well.

This change came up while setting up dashboards for Connect. Initially I reviewed how GTM is implemented in HQ, which currently allows only Google tags, and used that as a starting point.

While building dashboards for the required use cases, I ran into scenarios where we need to track a sequence of user actions as a single logical event (for example, step 1 followed by step 2). GTM itself doesn’t provide a native way to track grouped or sequential triggers across page reloads.

To handle this, we needed a way to persist whether a previous action had already occurred. The custom HTML tags are being used solely to set and read boolean session-level state (via sessionStorage) so we can determine:

• whether step 1 occurred before step 2, or
• whether step 2 was triggered directly without the prior action.

Regarding security: The custom HTML tags here are not executing arbitrary scripts or loading external resources — they are limited to very small, controlled snippets for session state tracking only.