The exposure of an Unescaped "</script>" tag in newest browsers

RESOLVED INVALID

Status

()

RESOLVED INVALID
16 years ago
10 years ago

People

(Reporter: forsburg, Assigned: jst)

Tracking

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
The problem reported in problem 175375 was not a complete description.  

Using the small example referenced in the 175375 shows the following:

<script>
document.write("Before test<br>");
 document.write("<script></script>");
 document.write("<br>After test");
</script>

This problem eas reported as failing in Mozilla and new NS but not in NS4.79.

A true example of the condition is:

<script>
document.write("Before test<br>");
<!--
 document.write("<script></script>");
//-->
 document.write("<br>After test");
</script>

This code does work in 4.79 as the comments hide the unescaped </string> as
listed in the HTML4.01 spec under section 18.3.2 "Hiding script data from user
agents"

There is also a compatability section we at found http://www.w3.org/TR/xhtml1/#C_4.
Section  "C.4. Embedded Style Sheets and Scripts" warns of new browsers
stripping the comment tags away and exposing the hidden scripts. 

This implies section 18 is not valid in the latest version. 

It seems this particular difference is in NS 6.0, 6.1, 7.0, Mozilla 1.01,
Mozilla 1.1.  But the NS release of NS6.2, NS6.2.2, NS6.2.3 let the code work
the same way as in NS 4.79.  

Can someone please explain if this is a bug in the browser, if not can you point
to where it is documented that this is invalid coding to rely on the comment
tags to hide the unescaped </script> tag.  

Thanks.
http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.1

says that the contents of a <script> element must be %Script;

http://www.w3.org/TR/html401/sgml/dtd.html#Script

says that %Script; means "CDATA".

In CDATA, all chars are treated literally.  Thus markup is not treated as markup
in CDATA.  Comments are markup.

The comment trick is meant for _old_ browsers which do not know what the
<script> element is and hence do not know that it should only contain CDATA and
that the text in it should not be rendered.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

16 years ago
This may be a better representation of the real problem. 

<script>
document.write("Before test<br>");
<!--
document.write("<script language='JavaScript1.2' type='text/javascript'
src='../nonssl/"+spMsg[smCount].split("^")[0]+".js'></script>");
//-->
document.write("<br>After test");
</script>

The problem is the browser appears to remove the comments exposing the </script>
? Is this desired effect of the XML parser? 


This is the desired effect of the _HTML_ parser.  As XML, that would simply be a
malformed document and would not parse at all.

The correct effect for an HTML parser is to

1) End the script at the first occurrence of "</" (most browsers are lenient and
   go up through the first "</script" as Mozilla does).
2) Throw a JS exception because the "<!--" must be passed on to the JS engine
    as-is and is not valid javascript.

Updated

10 years ago
Component: DOM: HTML → DOM: Core & HTML
QA Contact: stummala → general
You need to log in before you can comment on or make changes to this bug.