why tag in js string is being validated

Question

I have following page

<html>
<head>
    <script type="text/javascript" src="e01.js"></script>
</head>
<body>
<script type="text/javascript">
var obj={someHTML: "<script>alert('a');</script>rest of the html",  
               someOtherAttribute:"some value"};
    alert(obj.someHTML);
</script>
</body>
</html>

in someHTML attribute of my object I have </script> tag in a string. but browser reads this as actual close tag and closes the script element. is there anything I am missing here? (tried it in ff and chrome)

Answer 1

HTML is parsed before and independent from Javascript. The current browser behavior is that, once an open tag <script> is found, the browser will switch to "Script Data State" and interpret all following data as script until a </script> is found.

Where the </script> is detected doesn't matter — inside a JS string, a JS comment, a CDATA section, or even HTML comment.

You need to make the string does not look like </script> to the HTML parser. The simplest way is to write <\/script> as in @Daniel's answer.

Answer 2

You may want to escape the script tag, like this: <\/script>

var obj= {
   someHTML: "<script>alert('a');<\/script>rest of the html",  
   someOtherAttribute: "some value"
};

---

Related post:

• How can JavaScript make new page that contains more JavaScript?

Answer 3

You can either escape < and > by, respectively &lt; and &gt; or put the whole script in a CDATA section:

<script type="text/javascript">
<![CDATA[
var obj={someHTML: "<script>alert('a');</script>rest of the html",  
               someOtherAttribute:"some value"};
    obj(some.pageButtonScript);
]]>
</script>

Answer 4

Another way of doing it can be this.

 var obj= {
 someHTML: "<script>alert('a');</scr"+"ipt>rest of the html",  
 someOtherAttribute: "some value"
 };

just put a space between the ending script tag, so it wont be parsed as End tag.