8

I need a little assistance. I have to create a javascript string that contains more javascript that is then written to a div tag in the parent window. The code is as follows:

<script language="javascript" type="text/javascript">
var jstr2 = '';
jstr2 += '<script language="javascript">\n';
jstr2 += 'function doPagingProducts(str) {\n';
jstr2 += 'document.frmPagingProducts.PG.value = str\;\n';
jstr2 += 'document.frmPagingProducts.submit()\;\n';
jstr2 += 'return false\;\n';
jstr2 += '}\n';
jstr2 += '</script>\n';
jstr2 += '\n';
</script>

However the closing script tag in the created string actually close the javascript and I get errors such as:

Error: unterminated string literal
Line: 135, Column: 9 ( The </script> line before the end of the string.)
Source Code:
jstr2 += '

Is there any way I can prevent this issue..?

Many thanks for all your help.

Best Regards, Paul

edit I finally solved this problem by extracting the final </script> from the javascript string. I added a end tag where the script shows. Its messy, but it works. Many thanks for all your comments.

Improve this question
2
  • This is a legit question. As a web developer I like to put basic XSS attempts into my stored data on the site I work on - for example naming an entity "<script>alert('XSS');</script>"; it's not a comprehensive test by any means but it helps keep the frontend honest. I should be able to output JSON containing those strings in a script tag in the HTML without issue. Commented May 9, 2014 at 19:19
  • stackoverflow.com/questions/23386575/… Commented May 21, 2014 at 15:29

3 Answers 3

Reset to default
19

The SCRIPT tag is content agnostic, so the parser just keeps running through the content until it finds a /SCRIPT sequence. When it does, it passes the content it's found to the JS environment for evaluation. That gives you your unterminated literal error because the sent content ends where your /SCRIPT begins. (There is no terminating quote mark to be found for the JS parser).

Escaping the slash with backslash 

jstr2 += "<\/script>";

or some other work-around hack breaks the trigger point in the sequence here and solves this problem (but still leaves you with some very dubious code).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

6

Write it as:

jstr2 += '<\/script>\n';
Improve this answer

Comments

4

You have to split the string:

jstr2 += '<' + '/script>\n';

It's also better to comment out everything inside the script:

<script type="text/javascript">
<!--//
    // your code here
//-->
</script>

Or in HTML:

<script type="text/javascript">
//<![CDATA[
    // your code here
//]]>
</script>

Or in XHTML:

  • same as HTML but #PCDATA instead of CDATA.
Improve this answer

12 Comments

Don't split the string up and then concatenate. It is harder to read, takes longer to write, consumes more bytes and is slower to parse then just escaping the slash.
It is not better to comment out everything in the script. That is designed to protect Netscape 2 eta browsers from treating <script> as an unknown element and rendering the context as text. It won't stop </script> being treated as an end tag because, in HTML, the element contains CDATA so the code that looks like HTML comments is not treated as such.
Using CDATA flags won't help much in XHTML either - since almost nobody serves their content as application/xhtml+xml so it gets parsed as if it was HTML.
@Ryan, neither have I, but it's in the docs. @David, (1) you split the string because when you're working with server scripts it's better than having to double escape, which is nastier to write. (2) It also helps pages validate, which is important for SEO. (3) sort of true, again this ties into the validation
@David: It's best to use CDATA when your script is bug free and ready for production. It gets rid of JS errors like for(var i=0,n=2;i<n;i++), where sometimes errors are reported on the <n portion due to spacing.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.