why [removed] tag in js string is being validated
I have following page
-
You may want to escape the script tag, like this:
<\/script>var obj= { someHTML: "<script>alert('a');<\/script>rest of the html", someOtherAttribute: "some value" };
Related post:
- How can JavaScript make new page that contains more JavaScript?
讨论(0) -
HTML is parsed before and independent from Javascript. The current browser behavior is that, once an open tag
<script>is found, the browser will switch to "Script Data State" and interpret all following data as script until a</script>is found.Where the
</script>is detected doesn't matter — inside a JS string, a JS comment, a CDATA section, or even HTML comment.You need to make the string does not look like
</script>to the HTML parser. The simplest way is to write<\/script>as in @Daniel's answer.讨论(0) -
You can either escape < and > by, respectively < and > or put the whole script in a CDATA section:
<script type="text/javascript"> <![CDATA[ var obj={someHTML: "<script>alert('a');</script>rest of the html", someOtherAttribute:"some value"}; obj(some.pageButtonScript); ]]> </script>讨论(0) -
Another way of doing it can be this.
var obj= { someHTML: "<script>alert('a');</scr"+"ipt>rest of the html", someOtherAttribute: "some value" };just put a space between the ending script tag, so it wont be parsed as End tag.
讨论(0)
加载中...
- 热议问题