escaping: "var name = '</script>'"

Question

our middle tier needs to do something to prevent </script> from appearing verbatim in javascript string. for example, in all browsers, the HTML parser in its first pass will ignore the javascript context, see the first close-script, then see garbage then see a second close-script. See: using-script-in-a-javascript-literal

<HTML>
<BODY>
  start
  <SCRIPT>
    alert( "</SCRIPT>" );
  </SCRIPT>
  finish
</BODY>
</HTML>

My first idea to fix this is to extend the characters we escape for javascript strings to include '>' and '<' -- this appears to work in the browsers I tested, but doesn't look standards compliant: escapesequence.shtml

edit: this rule is specifically for contents rendered into a javascript string literal.

Answer 1

You need to remove the literal </ somehow:

"<" + "/"
"<\/"
"<\x2F"
"\x3C/"
"<\u002F"
"\u003C/"

See description of the CDATA type:

Although the STYLE and SCRIPT elements use CDATA for their data model, for these elements, CDATA must be handled differently by user agents. Markup and entities must be treated as raw text and passed to the application as is. The first occurrence of the character sequence "</" (end-tag open delimiter) is treated as terminating the end of the element's content. In valid documents, this would be the end tag for the element.