24

I just like to ask what the title says. The following string required into HTML script tags?

<!--
//-->

If I don't use them what would happen?

Joel Etherton
  • 37,325
  • 10
  • 89
  • 104
KodeFor.Me
  • 13,069
  • 27
  • 98
  • 166
  • 3
    Can somebody explain to me why this question got 6 upvotes already? It's a question that can be answered by merely typing the title into Google, ergo: no effort. – CodeCaster Nov 08 '11 at 11:40
  • 18
    @CodeCaster: The only thing that should matter is wether a question is well asked and is not a duplicate. In the long run, SO can be a much better reference then Google. (And that is not counting how bad Google is at indexing symbols & weird operators) – hugomg Nov 08 '11 at 12:04
  • 9
    Can I downvote a comment? (Typing [`JavaScript are required?`](http://www.google.com/search?q=JavaScript+%3C!--+%2F%2F--%3E+are+required%3F) into Google is _not_ very useful.) – Ilmari Karonen Nov 08 '11 at 19:15
  • 1
    I'm pretty sure this has been asked several times on SO already. – DisgruntledGoat Nov 09 '11 at 02:02
  • no research effort as per me.. – smile.al.d.way Nov 09 '11 at 16:11

8 Answers8

34

Not unless you are targeting browsers that predate the <script> element (i.e. Netscape 1 and friends). (Hint: You aren't).

If you don't use them, and a browser that old (so old it can't even cope with the HTTP Host header which is needed for sites that use virtual hosts) tries to access the site, then the content of the <script> element will be treated as text to be displayed.

Further reading: Comments and CDATA: The mysterious history of script and style in HTML

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 15
    I wouldn't say "hint: you aren't", but more like "hint: if you are, you're doing it wrong" – Romain Nov 08 '11 at 11:32
  • Álvaro raises an important point in his answer though: Without the CDATA escapes, the page is no longer valid XML if a meta character such as `<` is contained in the script. I think that relying on applications silently fixing up invalid data is bad style. – Simon Richter Nov 08 '11 at 17:06
  • 1
    @Simon Richter — The question is about HTML, not XHTML. It is also specifically about the use of comments around the script block. (And the XHTML issue *is* mentioned in the link I provide for further reading) – Quentin Nov 08 '11 at 17:25
8

The worse thing that can happen is that your page is retrieved by a user agent that's not aware of the <script> tag and tries to parse your script block as regular HTML. JavaScript code will be handled as regular text and < symbols might interfere with the page markup. A forced example:

<script type="text/javascript">
if(a<del || a>b){
    foo();
}
</script>
Lorem ipsum dolor sit amet.

... could render as ugly deleted text:

if(ab){ foo(); } Lorem ipsum dolor sit amet.

Do these obsolete user agents exists? Oh, sure they do. Please note I've carefully avoided the word "browser". The question is not who's using Mosaic nowadays. It's that a your site can be read by a poorly-written PHP-powered regexp based parser.

Should you care? Well, probably not :)

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
  • This behaviour is not even obsolete. – Simon Richter Nov 08 '11 at 17:07
  • 1
    @Simon Richter — Yes, it is. The behaviour occurs when a browser does not recognise a ` – Quentin Nov 08 '11 at 17:27
3

If you don't use them, a browser from the early 90's might display the source JS code instead of running it.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
3

No, they're not required. This habit is required for supporting really old browsers and is slightly related to including CDATA tags which should be included for validation purposes. Neither of them are required, but serve or have served their purpose as is clear from some of the more elaborate answers.

See: When is a CDATA section necessary within a script tag?

Community
  • 1
  • 1
Pieter
  • 3,339
  • 5
  • 30
  • 63
  • 5
    CDATA markers have nothing to do with "really old browsers", they are for browsers parsing XHTML with an XML parser (i.e. correctly). The comments have nothing to do with validation (except by accident if they are misused in XHTML). – Quentin Nov 08 '11 at 11:31
  • I've rephrased to make it more clear what I meant, but of course you're absolutely right. – Pieter Nov 08 '11 at 11:41
  • @Quentin I don't think there's anything actually formally prohibiting including the content as text content - it's just that then you are required to escape every greater-than/less-than/ampersand as an html entity. using CDATA means you've only got to deal with the uncommon character sequence `]]>` (which you could do by simply including a space between two of the tokens) – Random832 Nov 08 '11 at 14:13
  • @Random832 — I didn't say anything about the data being prohibited as text content. You can't always deal with `]]>` by changing it to `] ]>` though … since that is different content. – Quentin Nov 08 '11 at 14:26
2

For valid HTML, your inline JavaScript should be HTML escaped.

If you were to write a script such as:

<script type="text/javascript">
  document.write('<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>');
</script>

There will be an issue, because the script contains </script> which will close the first opening script tag. Older user agents had all sorts of issues with poorly escaped JavaScript, and it was easier to tell people to use:

<script>
  //<!--
  //-->
</script>

Than it was to teach people to write the script as:

<script type="text/javascript">
  document.write('&lt;script type=&quot;text/javascript&quot; src=&quot;http://code.jquery.com/jquery-latest.min.js&quot;&gt;&lt;/script&gt;');
</script>

Note that JS comments are used to prevent the JavaScript engine from trying to execute <!-- and -->, which might be legitimate statements (a<!--b and a-->b).

Than explain that they actually needed to turn every " to &quot;, < to &lt;, > to &gt; and & to &amp;.

The "modern" fix for this is to use a character data element, which tells the document that everything contained should be treated as literal text:

<script type="text/javascript">
  /* <![CDATA[ */
  /* ]] */
</script>

In this case I'm using multi-line comments so that the code isn't corrupted if it's minified to a single line (some rich text editors have done this to me in the past).

The best solution is to simply keep all HTML in .html files, all CSS in .css files and all JS in .js files. You won't ever have to worry about HTML escaping your JavaScript, and you'll be able to reuse your JS elsewhere simply by inserting a new <script>.

zzzzBov
  • 174,988
  • 54
  • 320
  • 367
  • 1
    There are three separate problems, "Characters with special meaning in XHTML", "The `` sequence in HTML" and "Browsers which don't recognise the `` from ending the script (mid-JS-string). – Quentin Nov 08 '11 at 15:50
  • I believe the character sequence ` – Daniel Pryden Nov 08 '11 at 18:31
  • @DanielPryden, doesn't really matter anyway, the [html5 spec](http://dev.w3.org/html5/spec/syntax.html#comments) specifies that a comment cannot contain two consecutive minus signs (`--`), which should be a big red flag as a reason *not* to use a comment around JavaScripts. – zzzzBov Nov 08 '11 at 18:34
  • @zzzzBov: I don't think that applies in this case. A `--` cannot appear inside an *HTML comment*, but JavaScript comments aren't the same thing. – Daniel Pryden Nov 08 '11 at 19:53
  • 1
    @Daniel Pryden — No. ` – Quentin Nov 08 '11 at 21:43
1

Google "why comment out javascript in html", first hit:

http://www.howtocreate.co.uk/tutorials/javascript/incorporate

This is not needed any more. All current browsers are aware of script tags, and how to treat their contents, since they have been part of HTML since HTML 3. Browsers that do not understand HTML 3 or scripts (these are virtually never used now) will display the script as if it was the content of the page. You can hide the script from them by commenting out your script with standard HTML comments.

CodeCaster
  • 147,647
  • 23
  • 218
  • 272
1

99% of the time, they are no longer needed :) Unless your running some really old browser!

Graeme Leighfield
  • 2,825
  • 3
  • 23
  • 38
0

Commenting JavaScript code in such way may also prevents the content from indexing in search engines and may be desirable in some cases.

For example, some time ago I found a lot of "page not found" issues in the Google webmaster tools. After simple analyzing of the urls, I cleared out that Google get all path-like variables from my JS code (like "name/001"), joined them with the current url (mysite.info/staff) and tried to request the resulted url. Without success, of course.

After inserting <!-- //--> in some of JS blocks, all "page not found" issues disappeared in a matter of month or two.

Zenya
  • 1,481
  • 1
  • 14
  • 25