All geek questions in one place

Concatenating "scr" + "ipt" in javascript bookmarklet code

Given other questions on the same topic, I feel like I understand the obvious justification for concatenating the <script> as '<scr'+'ipt..' in the javascript string, even if it is itself erroneous .

However, looking at the Instapaper bookmark code, I see d.createElement('scr' + 'ipt') . The corresponding part of the code (decorated) is at the end of the question.

Even if this (anti-) template should avoid parsing the HTML marker in the markup after the closing <script> tag appears inside the javascript line, I can see even less excuse for this here, given the concatenated text doesn't even represent the <script> .

In this case, is this done for another reason?

 javascript: function iprl5() { var d = document, z = d.createElement('scr' + 'ipt'), //??? b = d.body, l = d.location;
+6
source share
2 answers

It is foolish to defeat "<script>" because it will not be parsed as a tag inside a script * block, and it is even more foolish to consider "script" as a special one. Not this. It lacks either < or </ , without which it will never be parsed as a tag - in any context. Thus f("script") and f("scr"+"ipt") have identical semantics.

Technically in HTML, everything </ in a script block needs to be protected, but in practice, browsers only care about </script> . Because of this, "<"+"/script>" I recommend, but this only applies to closing tags. That is, "<script>" (or "script" depending on the situation) works fine inside the script block.

Happy coding.

* Satisfactory HTML parser: however, manual processing (regular expression) can explode horribly. The XML / XHTML rules are different, but then < you need to code for those who will be well formed anyway ... maybe some ambiguities with CDATA? In any case, this is not related to HTML.

In addition, related answers do not claim for "<scr"+"ipt.." (or subsets like "scr"+"ipt" ): instead, they claim to protect against the closing script -tag construct that starts with </ , which is not even present in the code in the message ...

+5
source

Not.

I think.

I expect this to be done by someone who has been burnt by '</script>' and has become too protective.

+3
source

Source: https://habr.com/ru/post/908748/

More articles:


All Articles