I'm writing a server-side function for a framework that will let me inline a Javascript file. It takes the filename as input, and its output would be like this:
<script>
/* contents of Javascript file */
</script>
How do I escape the contents of the Javascript file safely?
I am particularly worried if the file contains something like </script>
. If the input Javascript file has syntax errors, I still want it to escape correctly. I also realise that XHTML expects some entities to be encoded, whereas HTML doesn't.
There are a lot of questions similar to this asking about how to escape string literals or JSON. But I want something that can handle the general case, so that I can write a tool for the general case.
(I realise inlining potentially untrusted Javascript isn't the best idea, so no need to spend time discussing that.)
The first fix is to use the backslash character (\) to escape (/) in the </script> tag. This extra backslash will stop the browser to recognize this tag as the end of JavaScript code.
In the HTML we use double-quotes and in the JavaScript single-quotes, so any quotes within the JavaScript code will need to be escaped so that they don't conflict with either the HTML or JavaScript quotes.
This is a work in progress, let me know if I've missed a corner case!
The answer is different depending on whether you're using XHTML or HTML.
Content-Type: application/xhtml+xml
headerIn this case, you can simply XML escape any entities, turning this file:
console.log("Example Javascript file");
console.log(1</script>2/);
console.log("That previous line prints false");
To this:
<script>
console.log("Example Javascript file");
console.log(1</script>2/);
console.log("That previous line prints false");
</script>
Note that if you're using XHTML with a different Content-Type
header, then different browsers may behave differently, and I haven't researched it, so I would recommend fixing the Content-Type
header.
Unfortunately, I know of no way to escape it properly in this case (without at least parsing the Javascript). Replacing all instances of /
with \/
would cause some Javascript to break, including the previous example.
The best that I can recommend is that you search for </script
case-insensitively and throw an exception if you find it. If you're only dealing with string literals or JSON, substitute all instances of /
with \/
.
Some Javascript minifiers might deal with </script
in a safe manner perhaps, let me know if you find one.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With