ansaurus

Question

String "</script>" causes an error in IE

Answer 1

+1 A:

I've seen this...

var s = '</scr' + 'ipt>'

That said, it gives off a bit of a code smell. I'm not sure if it's appropriate. :)

Mayo 2009-09-25 20:58:08

I find it amusing that the other answer that had string concatenation in it was upvoted, while this one was down voted.

nilamo 2009-09-25 21:04:49

Yea, what's up with that?

Christopher W. Allen-Poole 2009-09-25 21:06:40

This is what Yahoo does.

womp 2009-09-25 21:08:55

Answer 2

+4 A:

This will happen for any browser. The HTML parser does not know the details of the scripting language you're trying to use, so your <script> tag will be terminated on the first occurence of </script>, regardless of context. The JS parser will then of course complain that the string is not terminated, because the closing apostrophe is not inside the script block.

You need to use something like '<\/script>' instead if you want to use that scring in your script.

Michael Madsen 2009-09-25 20:59:57

Would the downvoters care to elaborate on their reasons for doing so?

Michael Madsen 2009-09-25 21:10:21

IIRC, it is "</" that terminates SCRIPT tag.

kangax 2009-09-25 21:19:34

I would consider an HTML parser that worked like that as being broken. since that goes against all other HTML principles - </> might break it as well due to its property as an "anonymous close tag" in SGML, but most certainly not </.

Michael Madsen 2009-09-25 21:29:32

Having said that, I have not exhaustively tested all browsers for this, but IE 8 certainly doesn't behave like that.

Michael Madsen 2009-09-25 21:30:33

I'm not familiar with SGML rules in this regard, but I just checked again and HTML does indeed explicitly state that "</" is what terminates SCRIPT (other than that sequence, element's contents are just plain CDATA) - http://www.w3.org/TR/REC-html40/types.html#type-cdata

kangax 2009-09-25 21:36:53

Actually, thinking a bit more about it, that makes sense - at least as far as validity is concerned. I would still expect actual implementations to require the full end tag, but that would be more of a side effect from the necessity for them to handle invalid HTML as well - for the sake of completeness, though, I'll edit accordingly.

Michael Madsen 2009-09-25 21:59:19

Answer 3

+7 A:

This works for me

var a = "<\/script>"

dharga 2009-09-25 21:01:14

Thanks, it did the trick!

Andrey 2009-09-25 21:02:25

why the downvote? it works!

dharga 2009-09-25 21:13:11

You can should also be able to wrap your code in `` (or `<![CDATA[ ]]>` if it's being parsed as X(HT)ML).

Wevah 2009-09-25 21:26:16

You should NOT wrap the code in . We don't need to cater for Netscape 2 any more.

David Dorward 2009-09-25 21:54:29

Neither should you wrap your code in `<![CDATA[..]]>` without commenting it out. `<![CDATA[..]]>` is an XML literal in JavaScript 1.6+ and nothing in it would be processed as code

Eli Grey 2009-09-26 01:40:22

Answer 4

+3 A:

To use a / character you need to first preface it with \.

So this works:

<script type="text/javascript"> var s = '<\/script>'; alert( s);</script>

Nissan Fan 2009-09-25 21:01:59

Answer 5

A:

I've seen this:

var s = unescape("%3C/script%3E")

Smells really bad too.

deverop 2009-09-25 21:02:55

ansaurus

tags:

views:

answers:

String "</script>" causes an error in IE

related questions