W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Kornel Lesiński <kornel@geekhood.net>
Date: Thu, 26 Aug 2010 22:35:31 +0100
Message-ID: <op.vh2d9hvzte2ec8@aimac.local>
On Thu, 26 Aug 2010 21:56:12 +0100, Aryeh Gregor
<Simetrical+w3c at gmail.com> wrote:

> Suppose I have some arbitrary blob of trusted JavaScript, and I want
> to output it as an inline script in text/html.  How do I escape it so
> that it executes as intended -- in particular, given that it might
> contain the string "</script>" in string literals, comments, and so
> on?  In most contexts, you could just replace '<' => '&lt;', but that
> doesn't work in inline <script>.

Inside strings you replace "</" with "<\/" ("\/" is valid escape sequence  
for "/"), outside strings you'd need to add space between "</" (a corner  
case x </regexliteral/).

You might also use <script src="data:">.

-- 
regards, Kornel
Received on Thursday, 26 August 2010 14:35:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC