24

I have a string in Javascript where I have to escape several characters:

<script>
function GenerateCode() {
     alert(ctry);
     var script = "<script async src=\"//somesite.com/feed/livetrend.js\"></script>";
}
</script>

I have tried the following to escape the characters:

var script = "<script async src=\"//somesite.com/feed/livetrend.js\"></script>";

However, this does not work correctly, despite having taken care of including an escape character \ in front of "

It an error -unterminated string constant.

Improve this question
5
  • What do you mean by it doesn't work? Commented Feb 21, 2015 at 7:20
  • Couldn't reproduce the problem Commented Feb 21, 2015 at 7:23
  • Is you script inline or in a separate file? Commented Feb 21, 2015 at 7:28
  • Should I take the closing </script> tag to mean that script is inline in the HTML? Commented Feb 21, 2015 at 7:29
  • please see the question again. Commented Feb 21, 2015 at 7:33

4 Answers 4

Reset to default
55

The issue is that when the browser encounters the closing </script> tag inside a open <script> tag, regardless of the context in which it is used, it will terminate the script tag there. There are a couple of way to avoid this.

Option 1 - Escape the / in the closing script tag:

var script = '<script async src="//somesite.com/feed/livetrend.js"><\/script>';

Option 2 - Wrap the JavaScript in commented out HTML comments:

<script>
/*<!--*/
var script = '<script async src="//somesite.com/feed/livetrend.js"></script>';
/*-->*/
</script>

Using <![CDATA[ and ]]> instead of <!-- and --> also works.

One potential downside to this might be if you also want to have JavaScript strings that also contain these closing comments or CDATA, then it may not work.

Option 3 - Put the JavaScript into an external file:

Of course, moving the JavaScript into an external file will avoid this issue altogether, though it might not be preferable.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Tried option 1 - it worked. it was what i was looking for.<script> in a <script> got confused. thanks a lot!
@Alexander how do we programmatically escape the / in the closing script tag?
I love option 2 but can you explain why it works? Is this exploiting some bug and does it work on all browsers? How robust is this hack?
@BrobicVripiat It works because the HTML has to be parsed as HTML before running the JavaScript. Tags inside of comments are interpreted as part of the comment by the HTML parser. It's not a bug, it's just a clever way of saying don't parse the stuff between these comments as HTML.
1

In addition to Alexander O'Mara's answer, and especially for cases when the string comes from user-generated content:

Option 4 - move the string to an HTML tag and retrieve it in your script

<input type=hidden id=escapedString
    value="&lt;script async src=&quot;//somesite.com/feed/livetrend.js&quot;&gt;&lt;/script&gt;" />

<script>
var script = escapedString.value;
</script>

This is a bit easier because all server-side environments and browsers provide standard HTML escaping methods, whereas escaping </script> is not well standardized and is error prone.

Improve this answer

Comments

0

I think, the easiest way is to use backtick(`) instead of quotation marks.

For example:

var script = `<script async src="//somesite.com/feed/livetrend.js"></script>`;
Improve this answer

1 Comment

How does this help?
-1

What happens?

The browser HTML parser will see the </script> within the string and it will interpret it as the end of the script element.

A commonly used technique is to use the concatenation operator:

const test = '<script>...... </scr'+'ipt>';

That fixed my issue.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.