Skip to content
This repository has been archived by the owner on Jul 30, 2019. It is now read-only.

Script data double escape state - can anyone remember the rationale? #1617

Closed
hitsthings opened this issue Sep 3, 2018 · 3 comments
Closed

Script data double escape state - can anyone remember the rationale? #1617

hitsthings opened this issue Sep 3, 2018 · 3 comments

Comments

@hitsthings
Copy link

Hi all,

I recently discovered that the HTML spec explicitly has a double escape state within a script tag wherein closing script tags are ignored. But I haven't been able to track down why this exists in any archives.

I don't think many people on the web are escaping it well, so I'd imagine it can be "dangerous" (the rest of the page gets swallowed by the script tag, so the document just ends there - no lasting damage, but not great behavior).

The gist is that if you are in a <script> tag and come across <!-- followed at some point by <script> again, then the next </script> is ignored, unless you leave comment mode -->. So some examples:

<script>"<!--"</script> - FINE
<script>"<script>"</script> - FINE
<script>"<!-- <a>"</script> - FINE
<script>"<!-- <script> -->"</script> - FINE
<script>"<!-- <\script>"</script> - FINE
<script>"<!-- <script>"</script> - BAD, we're actually still inside the script tag

I can't find any reference to escaping this well on stackoverflow. I've mostly seen people saying that just escaping closing tags would be fine (e.g. "<\/script>"), which is apparently untrue.

I'm sure there is a great reason for this to exist, and if anyone knows the rationale I'd love to hear it to better understand the parser.

Related, if anyone knows an actual safe full answer for escaping JS strings inlined in HTML (is it just this and script end tags?) I'd love to hear about it!

Thanks for any help!
@larrikinventures
Copy link

Here's part of the spec for it: https://www.w3.org/TR/html5/syntax.html#script-data-double-escape-start-state
Here's someone who may have worded the question better than I did: https://stackoverflow.com/questions/23727025/script-double-escaped-state

@chaals
Copy link
Collaborator

chaals commented Sep 3, 2018

What I wrote in that stackoverflow thread:

When Javascript was first introduced, many browsers did not support it. So they would render the content of the script tag - the javascript code itself. The normal way to get around that was to put the script into a comment - things like

    <script>
      <!--    //hide from non-JS browsers
      function doSomething() {
        var coolScript = "<script>" + theCodeICopied + "</script>";
        document.write(coolScript);
      }
      // And if you forget to close your comment here, things go funnny
      -->
    </script>

were relatively normal. So scripts written within comments like this can do things like write script tags as literal strings into the middle of the document. That might seem like poor style today, but once upon a time there was not much by way of a DOM, either.

I presume this closes the issue, unless you want to suggest that we now change that bit of parsing. Which I think is not very likely to happen without a very good reason.

@chaals chaals closed this as completed Sep 3, 2018
@hitsthings
Copy link
Author

Thanks so much! Definitely closes the issue. It's still scary that string contents can break a page in multiple ways, but it is what it is.

@sebmarkbage sebmarkbage mentioned this issue Apr 14, 2022
Closed
@dmsnell dmsnell mentioned this issue May 9, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hitsthings @chaals @larrikinventures