Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrictions for contents of script elements (_object-create.js) #204

Closed
sinisterstumble opened this issue May 31, 2016 · 3 comments
Closed

Restrictions for contents of script elements (_object-create.js) #204

sinisterstumble opened this issue May 31, 2016 · 3 comments

Comments

@sinisterstumble
Copy link

In-lining the core-js/library/modules/_object-create.js in html <script> tag may theoretically backfire, _object-create.js has <script> tags in the source.

Should this be adressed ?

Restrictions for contents of script elements

The easiest and safest way to avoid the rather strange restrictions described in this section is to always escape "<!--" as "<!--", "<script" as "<\script", and "</script" as "</script" when these sequences appear in literals in scripts (e.g. in strings, regular expressions, or comments), and to avoid writing code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions in this section are prone to triggering: namely, that, for historical reasons, parsing of script blocks in HTML is a strange and exotic practice that acts unintuitively in the face of these sequences.

_object-create.js#L23

  iframeDocument.open();
  iframeDocument.write('<script>document.F=Object</script' + gt);
  iframeDocument.close();
@zloirock
Copy link
Owner

zloirock commented Jun 3, 2016

We had a problem with </script>, so now it's splitted, but not with <script>. Anyway, just in case, I'll fix this issue later.

@sinisterstumble
Copy link
Author

sinisterstumble commented Jun 4, 2016
edited
Loading

Would you accept a PR ?

On 06/03, Denis Pushkarev wrote:

We had a problem with </script>, so now it's splitted, but not with <script>. Anyway, just in case, I'll fix this issue later.

You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#204 (comment)

@zloirock
Copy link
Owner

zloirock commented Jun 4, 2016

Sure.

funklos referenced this issue in funklos/core-js Jun 29, 2016
@funklos
Merge pull request #1 from funklos/funklos-patch-#204
ea663c7 
Escaping script tags
funklos added a commit to funklos/core-js that referenced this issue Jun 29, 2016
@funklos
zloirock#204 Escaping script tags
f6fd176 
We experienced issues with inlining this code and parsing by facebook parser. So it's indeed safer to incorporate this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sinisterstumble @zloirock