2

I have following page

<html>
<head>
 <script type="text/javascript" src="e01.js"></script>
</head>
<body>
<script type="text/javascript">
var obj={someHTML: "<script>alert('a');</script>rest of the html", 
 someOtherAttribute:"some value"};
 alert(obj.someHTML);
</script>
</body>
</html>

in someHTML attribute of my object I have </script> tag in a string. but browser reads this as actual close tag and closes the script element. is there anything I am missing here? (tried it in ff and chrome)

asked Aug 18, 2010 at 7:25
1
  • hey I found a bug in stackoverFlow. I cannot write </script> in a regular text. it is working in comments but not in an actual question Commented Aug 18, 2010 at 7:46

4 Answers 4

5

HTML is parsed before and independent from Javascript. The current browser behavior is that, once an open tag <script> is found, the browser will switch to "Script Data State" and interpret all following data as script until a </script> is found.

Where the </script> is detected doesn't matter — inside a JS string, a JS comment, a CDATA section, or even HTML comment.

You need to make the string does not look like </script> to the HTML parser. The simplest way is to write <\/script> as in @Daniel's answer.

answered Aug 18, 2010 at 7:36
Sign up to request clarification or add additional context in comments.

1 Comment

Curious note: Regarding the HTML4.01 spec, actually it should be the ETAGO sequence </ the token that would terminate a SCRIPT element's content, but seems that most browsers are permissive, and now the de-facto standard is "</script". It seems comprehensible, is really common to have for example HTML in strings e.g.: var foo = '<span></span>';... check this test.
3

You can either escape < and> by, respectively &lt; and &gt; or put the whole script in a CDATA section:

<script type="text/javascript">
<![CDATA[
var obj={someHTML: "<script>alert('a');</script>rest of the html", 
 someOtherAttribute:"some value"};
 obj(some.pageButtonScript);
]]>
</script>
answered Aug 18, 2010 at 7:30

Comments

3

You may want to escape the script tag, like this: <\/script>

var obj= {
 someHTML: "<script>alert('a');<\/script>rest of the html", 
 someOtherAttribute: "some value"
};

Related post:

answered Aug 18, 2010 at 7:28

Comments

0

Another way of doing it can be this.

 var obj= {
 someHTML: "<script>alert('a');</scr"+"ipt>rest of the html", 
 someOtherAttribute: "some value"
 };

just put a space between the ending script tag, so it wont be parsed as End tag.

answered Aug 18, 2010 at 8:10

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.