How is unicode parsed by JavaScript when a page is loaded?

Question

I have a unique problem and was curious about the way JavaScript handles unicode. I am setting up a continuous deployment system that does a find and replace on a string. In development environments, we obviously don't include google analytics on those pages since they are not live. Instead, we enclose a comment such as <!-- GA --> which is located via find/replace script (Ansible) and then the analytics code goes in its place.

Here's my problem: Because there cannot be any spaces, special characters ('), newlines, etc in the 'replace' parameter of the script, I need to condense down my google analytics code into a single string - unicode seeming like the most logical choice.

Here's my question: If I simply add this to my HTML in script tags, will the page effectively execute the google analytics javascript, even though it's in unicode?

<script>\u3404\u0024.....................</script>

... where all of the other dots are just more unicode-escaped chars.

Or, in order to get this to run, must I use eval, similar to the following?

<script>
  var unicode = "\u3404\u0024.....";
  eval(unicode);
</script>

In order to get the google analytics JS to run?

This is for an important production site so I cannot risk this code not working. Thanks in advance.

Answer 1

If I simply add this to my HTML in script tags, will the page effectively execute the google analytics javascript, even though it's in unicode?

First, your example is not “in Unicode”, it’s just using JavaScript character escape sequences. The ones you used are supported in string literals and regular expression literals.

To test if the page executes escaped JavaScript like that, you could just try it and see:

<script>\x61\x6C\x65\x72\x74\x28\x31\x29</script>

This throws a syntax error instead of executing the unescaped version (alert(1)).

See section 15.1.9 of the ECMAScript standard to see how JavaScript is parsed.