Closed Bug 308004 Opened 19 years ago Closed 19 years ago

Quoted string containing </script> ends script

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 301847

People

(Reporter: mozilla, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Screen capture for those unable to see it.
17.94 KB, image/png
Details 
20050907 trunk

This has been happening for quite some time. Whenever I load Wired, there are
bits of JS strewn about the page. Investigation shows that Firefox is treating a
quoted string containing "</script>" as the real end of the script.

Anything inside of quoted strings should be ignored.

  

  



    
    

    
  
I don't think so. The browser doesnt' know anything what's inside the <script>
block (it's just CDATA), so it's looking for the </script> tag directly.

Note that I don't see it at the moment, but that's probably because it's ad-related.

The author should do something like this :
document.write('<'); document.write('/script>');
because the spec requires that we stop processing when the first '</' is
encountered (see <http://www.w3.org/TR/html401/types.html#type-cdata>). But it
breaks so many pages, that we actually stop at '</script'. See bug 254606.



  

  


Assignee: nobody → parser
Component: Layout → HTML: Parser
QA Contact: layout → mrbkap

    
    

    
  
I agree that tags in quoted strings don't have to be ignored. However, i think
the following should work

<script type="text/javascript">
<![CDATA[
function test() { window.alert("</script>"); }
]]>
</script>

See also http://www.w3.org/TR/xhtml1/#h-4.8

Conclusion: content inside CDATA should not be parsed.

  

  



    
    

    
  
Of course, the point of my previous comment is, that the code example prints 
"); } ]]> to the screen, which should not happen.

  

  



    
    

    
  
This is a duplicate of either bug 301847 or bug 302469.

The workaround in comment 3 will only work in XHTML (not regular HTML, which
Wired sends). The htmlparser doesn't parse the JavaScript inside the <script>
tags (and thus cannot detect whether the </script> is inside a quoted string or
not. The easiest way to get around this is: document.write("<\/script>").

  

  



    
    

    
  

*** This bug has been marked as a duplicate of 301847 ***

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: