1

There are no inline scripts involved, whatsoever. I have an external file script, which fetches some JSONP from twitter. Let's suppose that a property of the object represented in the returned JSONP was a string that contained somewhere in it the substring "</script>". Could this cause any problems on its own, without getting added to the DOM at all? (It gets scrubbed clean well before that point.)

I can't see why it would, but HTML parsing is notoriously whacky and quirky, so who knows? I know that if you want to have a string literal within an inline script, you need to break it up, like var slashScriptContainingString = 'foo</scr' + 'ipt>bar'; Again, I feel like it should be fine, but just checking to see if anyone knows why it might not be.

<!doctype html>
<script src="file.js"></script>

File.js:

var f = function(twobj) {
  console.log(twobj);
  doOtherStuffWith(twobj);
}

<script src="https://api.twitter.com/statuses/user_timeline/user.json?callback=f"></script>

Returned JSONP:

f(["this is an object, returned as part of the JSONP response, except it contains a string literal with the substring \"</script>\".  Is this a problem? Note: I haven't said anything about injecting this string in the DOM in any way shape or form. I can't think of a reason why it might be, but I'd just like to be sure."]);
wwaawaw
  • 6,867
  • 9
  • 32
  • 42
  • Short answer: No. If it is not a part of the HTML page, but an external resource, it can contain whatever is valid JavaScript. – Bergi Sep 30 '12 at 18:01

1 Answers1

2

No, string literals can contain whatever you want. As long as you are not blindly trying to set the innerHTML of something, a string is just a string. The example you have posted is safe.

The reason that you need to split up your </script> tag in your JavaScript source is that you are missing CDATA blocks. Without them, technically everything in your inline JavaScript needs to be properly escaped for HTML. (< becomes &lt;, etc.) Browsers are nice to you and let it slide, but </script> inside inline JavaScript becomes ambiguous. You should be using CDATA blocks to keep things like this from happening.

<script type="text/javascript">
//<![CDATA[
...code...
//]]>
</script>

See this question for more details: When is a CDATA section necessary within a script tag?

Community
  • 1
  • 1
Brad
  • 159,648
  • 54
  • 349
  • 530
  • There are no inline script tags. The first script tag has a `src` which points to an external js code file. The code in this file proceeds to fetch JSONP from twitter. What if a tweet contains the string `""` in it somewhere. Will that cause any problems? (Note: I'm not talking about injecting the strings into the DOM as anything's `innerHTML` or anythign like that.) – wwaawaw Sep 30 '12 at 06:50
  • @adlwalrus, How should I know? You haven't posted any code! Unless you are doing something really weird, no, having `` in a var won't hurt anything at all. – Brad Sep 30 '12 at 15:49
  • I thought I was pretty clear in the question. Sorry if I wasn't, @Brad – wwaawaw Sep 30 '12 at 16:31
  • @adlwalrus, Ha, don't apologize, just post some code showing how you are getting this JSON data and parsing it. – Brad Sep 30 '12 at 17:15
  • The code isn't really done, yet -- hence the reason I just described the situation in prose. – wwaawaw Sep 30 '12 at 17:22
  • @adlwalrus, It's difficult to answer your specific question when there isn't specific information. Write a quick example, showing what you are going to do. – Brad Sep 30 '12 at 17:25
  • There you are, @Brad. Thanks for your patience. :) – wwaawaw Sep 30 '12 at 17:52
  • I thought `CDATA` has been deprecated in (non-X)HTML5? – wwaawaw Sep 30 '12 at 18:21
  • @adlwalrus, Sorry, I missed the fact that you weren't using XHTML. Yeah, no need for it in HTML5... it's purely an XML construct. Of course, you still have the problem in HTML5 of an ambiguous tag then, but only for parsing your script... not for strings loading over XHR. – Brad Sep 30 '12 at 18:30