I need a little assistance. I have to create a javascript string that contains more javascript that is then written to a div tag in the parent window. The code is as follows:
<script language="javascript" type="text/javascript">
var jstr2 = '';
jstr2 += '<script language="javascript">\n';
jstr2 += 'function doPagingProducts(str) {\n';
jstr2 += 'document.frmPagingProducts.PG.value = str\;\n';
jstr2 += 'document.frmPagingProducts.submit()\;\n';
jstr2 += 'return false\;\n';
jstr2 += '}\n';
jstr2 += '</script>\n';
jstr2 += '\n';
</script>
However the closing script tag in the created string actually close the javascript and I get errors such as:
Error: unterminated string literal
Line: 135, Column: 9 ( The </script> line before the end of the string.)
Source Code:
jstr2 += '
Is there any way I can prevent this issue..?
Many thanks for all your help.
Best Regards, Paul
edit I finally solved this problem by extracting the final </script> from the javascript string. I added a end tag where the script shows. Its messy, but it works. Many thanks for all your comments.
-
This is a legit question. As a web developer I like to put basic XSS attempts into my stored data on the site I work on - for example naming an entity "<script>alert('XSS');</script>"; it's not a comprehensive test by any means but it helps keep the frontend honest. I should be able to output JSON containing those strings in a script tag in the HTML without issue.jrz– jrz2014年05月09日 19:19:04 +00:00Commented May 9, 2014 at 19:19
-
stackoverflow.com/questions/23386575/…Govind Singh– Govind Singh2014年05月21日 15:29:48 +00:00Commented May 21, 2014 at 15:29
3 Answers 3
The SCRIPT tag is content agnostic, so the parser just keeps running through the content until it finds a /SCRIPT sequence. When it does, it passes the content it's found to the JS environment for evaluation. That gives you your unterminated literal error because the sent content ends where your /SCRIPT begins. (There is no terminating quote mark to be found for the JS parser).
Escaping the slash with backslash
jstr2 += "<\/script>";
or some other work-around hack breaks the trigger point in the sequence here and solves this problem (but still leaves you with some very dubious code).
Comments
Write it as:
jstr2 += '<\/script>\n';
Comments
You have to split the string:
jstr2 += '<' + '/script>\n';
It's also better to comment out everything inside the script:
<script type="text/javascript">
<!--//
// your code here
//-->
</script>
Or in HTML:
<script type="text/javascript">
//<![CDATA[
// your code here
//]]>
</script>
Or in XHTML:
- same as HTML but #PCDATA instead of CDATA.
12 Comments
<script> as an unknown element and rendering the context as text. It won't stop </script> being treated as an end tag because, in HTML, the element contains CDATA so the code that looks like HTML comments is not treated as such.application/xhtml+xml so it gets parsed as if it was HTML.for(var i=0,n=2;i<n;i++), where sometimes errors are reported on the <n portion due to spacing.