Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generalize recommendations to escape script in literals #7234

Merged
merged 2 commits into from
Oct 18, 2021
Merged

Generalize recommendations to escape script in literals #7234

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e4c289a
Generalize recommendations to escape `script` in literals
mathiasbynens Oct 18, 2021
3f13476
Avoid `var` in example code snippet
mathiasbynens Oct 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59464,9 +59464,9 @@ o............A....e

<p class="note">The easiest and safest way to avoid the rather strange restrictions described in
this section is to always escape an ASCII case-insensitive match for "<code
data-x="">&lt;!--</code>" as "<code data-x="">&lt;\!--</code>", "<code
data-x="">&lt;script</code>" as "<code data-x="">&lt;\script</code>", and "<code
data-x="">&lt;/script</code>" as "<code data-x="">&lt;\/script</code>" when these sequences appear
data-x="">&lt;!--</code>" as "<code data-x="">\x3C!--</code>", "<code
data-x="">&lt;script</code>" as "<code data-x="">\x3Cscript</code>", and "<code
data-x="">&lt;/script</code>" as "<code data-x="">\x3C/script</code>" when these sequences appear
in literals in scripts (e.g. in strings, regular expressions, or comments), and to avoid writing
code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions
in this section are prone to triggering: namely, that, for historical reasons, parsing of
Expand Down Expand Up @@ -59516,14 +59516,14 @@ tag-end =/ %x003E ; U+003E GREATER-THAN SIGN (&gt;)</code></pre>
<p>The following script illustrates this issue. Suppose you have a script that contains a string,
as in:</p>

<pre><code class="js">var example = 'Consider this string: &lt;!-- &lt;script>';
<pre><code class="js">const example = 'Consider this string: &lt;!-- &lt;script>';
console.log(example);</code></pre>

<p>If one were to put this string directly in a <code>script</code> block, it would violate the
restrictions above:</p>

<pre><code class="html">&lt;script>
var example = 'Consider this string: &lt;!-- &lt;script>';
const example = 'Consider this string: &lt;!-- &lt;script>';
console.log(example);
&lt;/script></code></pre>

Expand All @@ -59535,7 +59535,7 @@ console.log(example);</code></pre>
fail because the script (highlighted here) is not valid JavaScript:</p>

<pre><code class="html">&lt;script><mark>
var example = 'Consider this string: &lt;!-- &lt;script>';
const example = 'Consider this string: &lt;!-- &lt;script>';
console.log(example);
&lt;/script>
&lt;!-- despite appearances, this is actually part of the script still! -->
Expand All @@ -59551,8 +59551,8 @@ console.log(example);</code></pre>
avoided entirely:</p>

<pre><code class="html">&lt;script><mark>
// Note: `\s` is an escape sequence for `s`.
var example = 'Consider this string: &lt;\!-- &lt;\script>';
// Note: `\x3C` is an escape sequence for `&lt;`.
const example = 'Consider this string: \x3C!-- \x3Cscript>';
mathiasbynens marked this conversation as resolved.
Show resolved Hide resolved
console.log(example);
</mark>&lt;/script>
&lt;!-- this is just a comment between script blocks -->
Expand Down