Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Escape </ in script tag contents

Tags:

html

In HTML, tags and entities aren't parsed within <script> tags, and </ immediately ends the tag. Thus,

<script><b>fun &amp; things</

will give you a script tag with the exact contents <b>fun &amp; things.

If you're including JSON and you want to include the characters </ in your script, then you can replace it with <\/ because the only place for those characters to appear is in a string, and \/ is an escape sequence that turns into a single forward slash.

However, if you're not using JavaScript, then this trick doesn't work. In my case specifically I'm trying to insert a <script type="math/tex"> into the source so that MathJax will process it. Is there a way to escape </ in the original HTML source? (I don't have a particular need for </ but I'm writing a generic tool and want to make it possible to use any text.)

(It's possible to create the script tag in JavaScript and populate its innerText, but I'm working with the raw HTML so I can't do that.)

like image 435
Sophie Alpert Avatar asked Feb 08 '13 20:02

Sophie Alpert


People also ask

How do you escape a script tag in HTML?

The first fix is to use the backslash character (\) to escape (/) in the </script> tag. This extra backslash will stop the browser to recognize this tag as the end of JavaScript code.

How do you escape text in JavaScript?

Javascript uses '\' (backslash) in front as an escape character. To print quotes, using escape characters we have two options: For single quotes: \' (backslash followed by single quote) For double quotes: \” (backslash followed by double quotes)

What is escape character in JavaScript?

Escape Character The string will be chopped to "We are the so-called ". The solution to avoid this problem, is to use the backslash escape character. The backslash ( \ ) escape character turns special characters into string characters: Code. Result.

Do I need to escape in JavaScript string?

The only characters you normally need to worry about in a javascript string are double-quote (if you're quoting the string with a double-quote), single-quote (if you're quoting the string with a single-quote), backslash, carriage-return (\r), or linefeed (\n).


2 Answers

I came here looking for a way to universally escape </script> inside the JavaScript code.

After bit of research I figured that if you are trying to escape </script> in JavaScript code so it can be safely embedded in html between <script> and </script> tags you should replace </script with </scr\ipt or </scri\pt. It's safer to do because if you replace it with <\/script you might break JavaScript code like this: var q = -1</script/.test("script");

Be careful not to look for </script> but rather </script because </script asdasdas> will end your script just as well as </script> does.

Sorry, it doesn't help OP in any way. Accepted answer is absolutely correct that you need to know what constructs are legal in language you have inside your <script></script> to know how to escape </script> occurrence without braking the code.

like image 106
Kamil Szot Avatar answered Oct 15 '22 18:10

Kamil Szot


The HTML specification explains in detail what is allowed and how to securely escape content. Especially considering HTML's history, this is a non-trivial task.

From the HTML specification:

The easiest and safest way to avoid the rather strange restrictions described in this section is to always escape "&lt;!--" as "&lt;\!--", "&lt;script" as "&lt;\script", and "&lt;/script" as "&lt;\/script" when these sequences appear in literals in scripts (e.g., in strings, regular expressions, or comments), and to avoid writing code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions in this section are prone to triggering: namely, that, for historical reasons, parsing of script blocks in HTML is a strange and exotic practice that acts unintuitively in the face of these sequences.

Source: https://www.w3.org/TR/html52/semantics-scripting.html#restrictions-for-contents-of-script-elements

like image 28
BenR Avatar answered Oct 15 '22 16:10

BenR