Does all browser engines treat "\<" as "<" and "\>" as ">"?

Question

The main point to make "<" to "\<" and ">" to ">" is to make avoid below inline script:

<script>
   var foo = "</script><script>alert('bug');</script><script>"; // the value of foo is generated from server
</script>

The string value of foo is generated from server side. So, we plan to change "<" to "\<" and ">" to ">". (I know there is argument that ">" should be escaped to "& gt;", but it is not in consideration in this case.)

So, the expected result is:

<script>
   var foo = "\</script\>\<script\>alert('bug');\</script\>\<script\>"; // the value of foo is generated from server
</script>

For IE7/8 and Firefox, the HTML rendering engine will not treat \<script\> in javascript string as <script> tag, and JavaScript engine still take it as string "<script>". However, I'm not sure whether all browsers treat ">" and "\<" this way. Is this kind of standard for all browsers?

Answer 1

No, your best bet is to use &gt; and &lt; for the greater than and less than signs respectively.

So you'd want something like this:

var foo = "</script><script>alert('bug');</script><script>";