Menu
I have following page
<html>
<head>
<script type="text/javascript" src="e01.js"></script>
</head>
<body>
<script type="text/javascript">
var obj={someHTML: "<script>alert('a');</script>rest of the html",
someOtherAttribute:"some value"};
alert(obj.someHTML);
</script>
</body>
</html>
in someHTML attribute of my object I have </script> tag in a string. but browser reads this as actual close tag and closes the script element. is there anything I am missing here? (tried it in ff and chrome)
773
HTML is parsed before and independent from Javascript. The current browser behavior is that, once an open tag <script> is found, the browser will switch to "Script Data State" and interpret all following data as script until a </script> is found.
Where the </script> is detected doesn't matter — inside a JS string, a JS comment, a CDATA section, or even HTML comment.
You need to make the string does not look like </script> to the HTML parser. The simplest way is to write <\/script> as in @Daniel's answer.
120
You can either escape < and > by, respectively < and > or put the whole script in a CDATA section:
<script type="text/javascript">
<![CDATA[
var obj={someHTML: "<script>alert('a');</script>rest of the html",
someOtherAttribute:"some value"};
obj(some.pageButtonScript);
]]>
</script>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
