Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
HTML 5's Tokenizer defines different states that can occur within a <script> tag . If the value "<!--" is inserted, the tokenizer will be at the "Script data escaped dash dash state". From here, one can insert "<script>" and be at the "Script data double escaped state". These states are respected by HTML 5 capable browser. If the state is changed without closing the state, a parse error ought to occur.
The escaper should be updated to Unicode escape PS, LS, "<", and ">" characters. This should prevent parse errors in most applications and potential security side effects in some applications (e.g. disabling of frame breaking JS).
Affects: 3.0 GA, 3.1 GA, 3.2 RC1
0 votes, 5 watchers
Rossen Stoyanchev commented
U+2028 (PS) and U+2029 (LS) are indeed listed as line terminators in ECMA-262. However, I don't see any special characters to represent them in a string? So what would an
Jon Passki commented