46

I am encountering an issue where having a ending script tag inside a quoted string in JavaScript, and it is killing the script. I assume this is not expected behaviour. An example of this can be seen here: http://jsbin.com/oqepe/edit

My test case browser for the interested: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4) Gecko/20091028 Ubuntu/9.10 (karmic) Firefox/3.5.4.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
re5et
  • 4,305
  • 3
  • 25
  • 26

2 Answers2

87

What happens?

The browser HTML parser will see the </script> within the string and it will interpret it as the end of the script element.

Look at the syntax coloring of this example:

<script>
var test = 'foo... </script> bar.....';
</script>

Note that the word bar is being treated as text content outside of the script element...

A commonly used technique is to use the concatenation operator:

var test = '...... </scr'+'ipt>......';
Christian C. Salvadó
  • 807,428
  • 183
  • 922
  • 838
  • 4
    This does work, but I am surprised that I have to do it. Part of the problem is that I am scraping a page and storing the results in a JS variable. I have no real expectations of what Is coming back. – re5et Nov 02 '09 at 06:51
  • How are you storing it in a variable? Are you scraping server-side then generating `var x = ;`? If so, don't forget to JSON-encode it. – orip Dec 01 '09 at 10:10
  • 16
    Escape the /, don't split the string up into parts. IIRC it is still an error in HTML 4.x. It is certainly more fiddly to type, messier to read, more characters to deal with, and less efficient (since string concatenation isn't the cheapest of JS operations) – Quentin Dec 01 '09 at 10:20
  • 3
    Yeap, only what you need to do is add a back slash `var t = 'my tag <\/script> for script';` – Pierre Jan 23 '15 at 09:22
  • this is such a counterintuitive security flaw. in fact, this is an XSS vulnerability and should be prevented by following [the rules](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet), not just some "split-in-the-middle". – Cee McSharpface Oct 09 '18 at 13:26
17

You need to escape it, else it will be a part of the HTML.

var test = 'what the hell... \<\/script\> \<h1\>why?!?!?!\<\/h1\>';
LiraNuna
  • 64,916
  • 15
  • 117
  • 140
  • It's the way XML is being rendered. You can also wrap the script with <![CDATA[ and ]]>. It won't happen with other tags because the way the XML parser work (notably it treats script as text, and not as code). – LiraNuna Nov 02 '09 at 06:50
  • 1
    @LiraNuna Umm. No. An XML parser will treat `` as "End of script" and `` as a well-formness error. An HTML parser will treat `` as "end of script" and then if it is `` as "Error with handling undefined by the specification". Only a tag soup parser (and possibly an HTML5 parser, I haven't read the draft closely enough to be sure) will treat `` as part of the script. – Quentin Dec 01 '09 at 10:19
  • 3
    Oh, and if you wrap with CDATA markers then that won't fix it for tag soup parsers. – Quentin Dec 01 '09 at 10:21
  • 1
    Nice solution the escaping, but really not needed for anything but the script tag's slash. – Niki Romagnoli Jan 15 '16 at 14:35