- From: Kornel Lesiński <kornel@geekhood.net>
- Date: Thu, 26 Aug 2010 22:35:31 +0100
On Thu, 26 Aug 2010 21:56:12 +0100, Aryeh Gregor
<Simetrical+w3c at gmail.com> wrote:
> Suppose I have some arbitrary blob of trusted JavaScript, and I want
> to output it as an inline script in text/html. How do I escape it so
> that it executes as intended -- in particular, given that it might
> contain the string "</script>" in string literals, comments, and so
> on? In most contexts, you could just replace '<' => '<', but that
> doesn't work in inline <script>.
Inside strings you replace "</" with "<\/" ("\/" is valid escape sequence
for "/"), outside strings you'd need to add space between "</" (a corner
case x </regexliteral/).
You might also use <script src="data:">.
--
regards, Kornel
Received on Thursday, 26 August 2010 14:35:31 UTC