[whatwg] base64 entities

Kornel Lesiński kornel at geekhood.net
Thu Aug 26 14:35:31 PDT 2010


On Thu, 26 Aug 2010 21:56:12 +0100, Aryeh Gregor
<Simetrical+w3c at gmail.com> wrote:

> Suppose I have some arbitrary blob of trusted JavaScript, and I want
> to output it as an inline script in text/html.  How do I escape it so
> that it executes as intended -- in particular, given that it might
> contain the string "</script>" in string literals, comments, and so
> on?  In most contexts, you could just replace '<' => '<', but that
> doesn't work in inline <script>.

Inside strings you replace "</" with "<\/" ("\/" is valid escape sequence  
for "/"), outside strings you'd need to add space between "</" (a corner  
case x </regexliteral/).

You might also use <script src="data:">.

-- 
regards, Kornel



More information about the whatwg mailing list