Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rephrase misleading recommendation to escape "<script" as "<\script" in literals #7179

Closed
mathiasbynens opened this issue Oct 7, 2021 · 3 comments
Labels
clarification Standard could be clearer topic: script

Comments

@mathiasbynens
Copy link
Member

mathiasbynens commented Oct 7, 2021

https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements

The easiest and safest way to avoid the rather strange restrictions described in this section is to always escape an ASCII case-insensitive match for "<!--" as "<\!--", "<script" as "<\script", and "</script" as "<\/script" when these sequences appear in literals in scripts (e.g. in strings, regular expressions, or comments) […]

It’s misleading to state that this is the way to do it in all literals including regular expression literals, since \s (in <\script) has a different meaning in regular expression literals (it matches whitespace instead of the character s). We could either suggest a different way of escaping this (e.g. "<script" as "\x3Cscript") or clarify that for regular expression literals specifically a different approach should be used.

@koto
Copy link

koto commented Oct 7, 2021

Perhaps a different letter from script could be picked up that doesn't class with RE's metacharacters?

@mathiasbynens
Copy link
Member Author

mathiasbynens commented Oct 7, 2021

Perhaps a different letter from script could be picked up that doesn't class with RE's metacharacters?

I think this is also undesirable since that is disallowed in regular expressions with the u flag. E.g. /\i/u throws. Since we’d need to use an escape sequence of the form \xNN or \uXXXX anyhow, any character seems fine, so it might as well be <\x3C (to still keep the rest of the pattern somewhat readable).

@zcorpan
Copy link
Member

zcorpan commented Oct 7, 2021

Escaping < instead as you suggested SGTM. We can recommend that for all of the strings here for consistency.

@annevk annevk added clarification Standard could be clearer topic: script labels Oct 7, 2021
mathiasbynens added a commit to mathiasbynens/html that referenced this issue Oct 18, 2021
mathiasbynens added a commit to mathiasbynens/html that referenced this issue Oct 18, 2021
@annevk annevk closed this as completed in 5fbe933 Oct 18, 2021
devtools-bot pushed a commit to ChromeDevTools/devtools-frontend that referenced this issue Oct 20, 2021
See whatwg/html#7179

Bug: none
Change-Id: Ida622dfa42b319a27a399d780b0639503e7653a9
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/3231277
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Johan Bay <jobay@chromium.org>
dandclark pushed a commit to dandclark/html that referenced this issue Dec 4, 2021
mfreed7 pushed a commit to mfreed7/html that referenced this issue Jun 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
clarification Standard could be clearer topic: script
Development

No branches or pull requests

4 participants