[whatwg] base64 entities

Aryeh Gregor Simetrical+w3c at gmail.com
Thu Aug 26 13:56:12 PDT 2010


On Thu, Aug 26, 2010 at 4:20 PM, Julian Reschke <julian.reschke at gmx.de> wrote:
> I have to admit that I'm not sure what's special about <script> here. Are
> you saying that it's insufficient to escape all characters that have a
> special meaning there?

data:text/html,<!doctype html>
<script>alert("&");</script>

alerts "&", not "&".  So generally, you just don't escape stuff in
<script>, but I don't know of any general-purpose way to have
"</string>" in a string literal (or anywhere else), other than
splitting it up like "</scr" + "ipt>".

On Thu, Aug 26, 2010 at 4:25 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Sorta.  It'll let you put the data in <script>, but it won't verify that the
> data doesn't change the meaning of the script, obviously, or inject script
> of its own to run.

Hmm.  Okay, then I don't get how this helps in Adam's second example:

<script>
elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
</script>

If it doesn't help there, then I don't see any use-cases, since the
first example is trivially solvable by just using quotes.

>> Is automated general escaping even possible right now in<script>  for
>> text/html?
>
> Defined how?

Suppose I have some arbitrary blob of trusted JavaScript, and I want
to output it as an inline script in text/html.  How do I escape it so
that it executes as intended -- in particular, given that it might
contain the string "</script>" in string literals, comments, and so
on?  In most contexts, you could just replace '<' => '<', but that
doesn't work in inline <script>.

(Right?  I admit I'm mostly cargo-culting this, and have no idea how
text/html parsing works at all.  I have fond dreams of an HTML
serialization that's actually comprehensible to authors but has
reasonable error handling . . .)



More information about the whatwg mailing list