6

Given other questions on the same topic I feel I understand the apparent justifications for concatenating the <script> tag as '<scr'+'ipt..' in a javascript string, even if this itself is misguided.

However, looking at the code for the Instapaper bookmarklet I see d.createElement('scr' + 'ipt'). The relevant part of the code (beautified) is at the end of the question.

Even if this (anti-)pattern is to avoid the HTML parser balking at the markup after the occurrence of the closing <script> tag within a javascript string, I can see even less justification for doing it here given the concatenated text does not even represent a <script> tag.

In this case, is this done for some other reason?

javascript: function iprl5() {
    var d = document,
        z = d.createElement('scr' + 'ipt'),  //???
        b = d.body,
        l = d.location;
Community
  • 1
  • 1
Pero P.
  • 25,813
  • 9
  • 61
  • 85
  • 3
    Someone was sleeping at that time. – Rob W Feb 17 '12 at 23:26
  • 6
    I think it is just a dogmatic application of the pattern without an understanding of why it's done. ``var test = document.createElement('script');`` doesn't barf on me (and I wouldn't expect it to). –  Feb 17 '12 at 23:27

2 Answers2

5

It is silly to escape "<script>" as it will not be parsed as tag inside a script block* and it is even sillier to treat "script" as special. It's not. It lacks either a < or </, without which it will never be parsed as a tag -- in any context. Thus f("script") and f("scr"+"ipt") have identical semantics.

Technically in HTML, all </ in a script block need to be guarded against, but in practice browsers only care about </script>. Because of this, "<"+"/script>" is what I recommend, but that applies only to closing tags. That is, "<script>" (or "script" as the case may be) is perfectly valid inside a script block.

Happy coding.

*By a compliant HTML parser: however, hand-rolled (regex) parsing may explode in terrible ways. The XML/XHTML rules are different, but then the < needs to be encoded for those to be well-formed anyway ... perhaps some obscurities with CDATA? In any case, it is irrelevant to HTML.

Also, the linked answers do not argue for "<scr"+"ipt.." (or subsets like "scr"+"ipt"): instead, they argue for guarding against the closing script-tag construct, which begins with </, that is not even present in the code in the post...

3

No.

I think.

I expect this is done by someone who was burned by a '</script>' and got too protective.

Umbrella
  • 4,733
  • 2
  • 22
  • 31