Escaping insertBefore

We have added Snowplow to our WordPress site and our PHPCS (code sniffer) is flagging the use of insertBefore in the page views tracking snippet (as per https://docs.snowplowanalytics.com/docs/collecting-data/collecting-from-own-applications/javascript-tracker/tracking-specific-events/)

Warning: Any HTML used with insertBefore gets executed. Make sure it's properly escaped (WordPressVIPMinimum.JS.HTMLExecutingFunctions.insertBefore).

Is there any way we can create a new DOM node programatically and insert that instead of inserting g.parentNode in front of n and g?

There would also be some performance benefits here: https://docs.wpvip.com/technical-references/security/javascript-security-recommendations/

Probably - but I think the benefits are likely pretty minimal for something small like this. The insertBefore method is pretty standard for tag managers (e.g., GTM, Launch) so I’d stick with it for the moment unless there’s going to be a sizeable difference otherwise.

I agree with Mike. That’s not to say it is impossible, I’m sure you could find a way. If you want to understand what the tag is doing then the unminified version is here: https://github.com/snowplow/snowplow-javascript-tracker/blob/2.16.3/tags/tag.js

I think you could create two 's rather than using insertBefore, I think you’ll just need to make sure they run in the correct order (so not async) so that the SnowplowGlobalNamespace is initialised on the window before the sp.js script loads.