js escaper fails to escape </script>

[arnaud-lb]

A closing script tag, even placed inside quotes, even inside <![CDATA section, will close a <script> tag:

<script type="text/javascript">
var = "</script>"; // this closes the script tag
</script>

The js escaper should be able to catch this.

Looking at how others do to escape this sort of things, I found multiple solutions :

• Change </script> into '</sc' + 'ript>' : not suitable for a generic escaper (i.e. depends on single or double quotes)
• Escape '/'. Changing </script> into <\/script> seems to successfully avoid the problem. I read that json encoders escape the '/' for this reason, but I'm unsure.
• Use a white list of safe chars and escape everything others to \xHEX and \uUNICODE representation. This is totally safe, this can even escape html special chars and make escape('js') safe for html too (useful when doing things like onclick="fun({{somevar}})"). However this depends on the encoding (the escaper should be encoding aware anyway).

[arnaud-lb]

Here is an implementation of the second solution, which escapes control chars too:
http://github.com/arnaud-lb/Twig/commit/0845a35e3ee0b28534e2c26aea584952d670b652 (it does basically the same escaping as json_encode(), but does not handles unicode)

And an implementation of the last solution, which escapes everything except unicode alpha-numeric characters and the space character into \xHH or \uHHHH representations (as in http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java ): http://github.com/arnaud-lb/Twig/commit/30c54eb89f205670050cab263dc241e295474f89 (this makes this solution html-safe too)