[whatwg] base64 entities
Kornel Lesiński
kornel at geekhood.net
Thu Aug 26 14:35:31 PDT 2010
On Thu, 26 Aug 2010 21:56:12 +0100, Aryeh Gregor
<Simetrical+w3c at gmail.com> wrote:
> Suppose I have some arbitrary blob of trusted JavaScript, and I want
> to output it as an inline script in text/html. How do I escape it so
> that it executes as intended -- in particular, given that it might
> contain the string "</script>" in string literals, comments, and so
> on? In most contexts, you could just replace '<' => '<', but that
> doesn't work in inline <script>.
Inside strings you replace "</" with "<\/" ("\/" is valid escape sequence
for "/"), outside strings you'd need to add space between "</" (a corner
case x </regexliteral/).
You might also use <script src="data:">.
--
regards, Kornel
More information about the whatwg
mailing list