Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I properly escape inline Javascript in a <script> tag?

Tags:

javascript

html

xhtml

I'm writing a server-side function for a framework that will let me inline a Javascript file. It takes the filename as input, and its output would be like this:

<script>
   /* contents of Javascript file */
</script>

How do I escape the contents of the Javascript file safely?

I am particularly worried if the file contains something like </script>. If the input Javascript file has syntax errors, I still want it to escape correctly. I also realise that XHTML expects some entities to be encoded, whereas HTML doesn't.

There are a lot of questions similar to this asking about how to escape string literals or JSON. But I want something that can handle the general case, so that I can write a tool for the general case.

(I realise inlining potentially untrusted Javascript isn't the best idea, so no need to spend time discussing that.)

like image 741
Flimm Avatar asked Dec 31 '15 11:12

Flimm

People also ask

How to escape script tag in JavaScript?

The first fix is to use the backslash character (\) to escape (/) in the </script> tag. This extra backslash will stop the browser to recognize this tag as the end of JavaScript code.

Do you need to escape in JavaScript?

In the HTML we use double-quotes and in the JavaScript single-quotes, so any quotes within the JavaScript code will need to be escaped so that they don't conflict with either the HTML or JavaScript quotes.

1 Answers

This is a work in progress, let me know if I've missed a corner case!

The answer is different depending on whether you're using XHTML or HTML.

1. XHTML with Content-Type: application/xhtml+xml header

In this case, you can simply XML escape any entities, turning this file:

console.log("Example Javascript file");
console.log(1</script>2/);
console.log("That previous line prints false");

To this:

<script>
console.log(&quot;Example Javascript file&quot;);
console.log(1&lt;/script&gt;2/);
console.log(&quot;That previous line prints false&quot;);
</script>

Note that if you're using XHTML with a different Content-Type header, then different browsers may behave differently, and I haven't researched it, so I would recommend fixing the Content-Type header.

2. HTML

Unfortunately, I know of no way to escape it properly in this case (without at least parsing the Javascript). Replacing all instances of / with \/ would cause some Javascript to break, including the previous example.

The best that I can recommend is that you search for </script case-insensitively and throw an exception if you find it. If you're only dealing with string literals or JSON, substitute all instances of / with \/.

Some Javascript minifiers might deal with </script in a safe manner perhaps, let me know if you find one.

like image 186
Flimm Avatar answered Oct 15 '22 19:10

Flimm
Sign in to Comment

Related questions

timer is not reset when "game" restarts
Gnome shell extensions: how to run a command with pipes
Endless loop rendering component on ReactJs
Javascript: Animated GIF to Data URI
How to use Materialize css Tabs in Meteor?
Passing array style query parameters to a resource in Angularjs
Using Angular translate within controller, for data brought by service
Javascript code optimization for Find()
VueJS re-compile HTML in an inline-template component
How to set Paper.js Canvas background fill color (No CSS background)
Does Aurelia have ng-template alternative?
Access to DOM using node.js
Is there a way to fill from a point till it hits a border using HTML Canvas and JavaScript?
Keeping track of wins Rock paper scissors
How can I create a "wall" on top of a div and make everything inside it not clickable and not focusable?
Avoiding Pitfalls with Assigning Falsy Values in Defaults?
Updating json with lodash
React Router serverside rendering errors: Warning: Failed propType: Required prop `history` was not specified in `RoutingContext`
Showing total results count using Typeahead.js's prefetch
Correct way to cast a JSON object into a typescript typed variable using a class?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!