CE-717: Security patch v1.0.2.4 - fix XSS, upgrade Newtonsoft.Json, add deprecation notice

[davidericmuller]

Description

This PR addresses critical security vulnerabilities and deprecates the Sitecore integration module as part of CE-717:

Why

1. XSS Vulnerability (CE-717): Two confirmed XSS injection points exist in the codebase that allow attackers to inject arbitrary JavaScript through user-controlled input (e.g., URL parameters):

   • TealiumManager.cs (lines 52-64): Uses string.Format to concatenate values directly into JavaScript without encoding
   • UtagDataProvider.cs (lines 183-190): Wraps values in escaped quotes but never sanitizes the value itself, allowing quote breakout attacks

2. DoS Vulnerability (INT-555): Newtonsoft.Json v6.0.8 contains a known DoS vulnerability (CVSS 7.5) that needs to be resolved

3. Module Deprecation: Per the deprecation plan, this module is being officially deprecated with no further updates planned after v1.0.2.4

What Changed

This PR implements Phase 1 Item 3, Phase 2 Items 5 and 6 from the deprecation plan:

Security Fixes (Phase 2, Item 5)

• Fixed XSS in UtagDataProvider.cs: Replaced manual string concatenation with JsonConvert.SerializeObject() for proper JSON encoding of all values
• Fixed XSS in TealiumManager.cs: Replaced manual utag_data object construction and vulnerable string.Format calls with safe JsonConvert.SerializeObject() on the entire data dictionary
• Both fixes ensure all user-controlled input is properly escaped before being rendered into JavaScript contexts

Dependency Update (Phase 2, Item 6)

• Updated Newtonsoft.Json: Upgraded from v6.0.8 to v13.0.3 to resolve INT-555 (DoS vulnerability)
• Updated references in packages.config and .csproj file

Deprecation Notice (Phase 1, Item 3)

• Added prominent SECURITY WARNING to README.md alerting users to the critical XSS vulnerability
• Added DEPRECATED notice explaining this is the final release (v1.0.2.4) with no further updates
• Included migration recommendations (modern Tealium iQ Tag Management or server-side EventStream)
• Referenced GitHub issue UtagDataProvider.AddUtag is vulnerable to script injection (and breaks if tags contain quotes) #4 for technical vulnerability details

Version Bump

• Updated AssemblyInfo.cs from v1.0.2.3 to v1.0.2.4

Files Changed

• README.md - Added security warning and deprecation notice
• Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs - Fixed XSS vulnerability
• Tealium.Sitecore.TagManagement/TealiumManager.cs - Fixed XSS vulnerability
• Tealium.Sitecore.TagManagement/packages.config - Updated Newtonsoft.Json to v13.0.3
• Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj - Updated Newtonsoft.Json reference
• Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs - Bumped version to v1.0.2.4

Related Issues

• CE-717: Seminole Hard Rock XSS vulnerability
• INT-555: Newtonsoft.Json DoS vulnerability
• GitHub Issue UtagDataProvider.AddUtag is vulnerable to script injection (and breaks if tags contain quotes) #4 (to be created): Public tracking of XSS vulnerability

Testing

Manual Testing Required

• Verify the module builds successfully with Newtonsoft.Json v13.0.3
• Test that utag_data JavaScript object is properly generated with encoded values
• Test with malicious input (e.g., URL parameter with "-alert(document.domain)-") to confirm XSS is mitigated
• Verify that README security warning is prominently displayed on GitHub
• Validate that the assembly version is correctly set to 1.0.2.4

Security Testing

• Confirm that double-quote characters in parameter values no longer break JSON output
• Verify that special characters (<, >, &, etc.) are properly escaped
• Test array/enumerable values are correctly serialized without injection vulnerabilities

---

🤖 Generated by Glean Code Writer
📝 Chat link - https://app.glean.com/chat/96c783570e004a028e5ca2b7ceb27ded