[whatwg] base64 entities
Aryeh Gregor
Simetrical+w3c at gmail.com
Thu Aug 26 13:56:12 PDT 2010
On Thu, Aug 26, 2010 at 4:20 PM, Julian Reschke <julian.reschke at gmx.de> wrote:
> I have to admit that I'm not sure what's special about <script> here. Are
> you saying that it's insufficient to escape all characters that have a
> special meaning there?
data:text/html,<!doctype html>
<script>alert("&");</script>
alerts "&", not "&". So generally, you just don't escape stuff in
<script>, but I don't know of any general-purpose way to have
"</string>" in a string literal (or anywhere else), other than
splitting it up like "</scr" + "ipt>".
On Thu, Aug 26, 2010 at 4:25 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Sorta. It'll let you put the data in <script>, but it won't verify that the
> data doesn't change the meaning of the script, obviously, or inject script
> of its own to run.
Hmm. Okay, then I don't get how this helps in Adam's second example:
<script>
elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
</script>
If it doesn't help there, then I don't see any use-cases, since the
first example is trivially solvable by just using quotes.
>> Is automated general escaping even possible right now in<script> for
>> text/html?
>
> Defined how?
Suppose I have some arbitrary blob of trusted JavaScript, and I want
to output it as an inline script in text/html. How do I escape it so
that it executes as intended -- in particular, given that it might
contain the string "</script>" in string literals, comments, and so
on? In most contexts, you could just replace '<' => '<', but that
doesn't work in inline <script>.
(Right? I admit I'm mostly cargo-culting this, and have no idea how
text/html parsing works at all. I have fond dreams of an HTML
serialization that's actually comprehensible to authors but has
reasonable error handling . . .)
More information about the whatwg
mailing list