Reputation: 76028
Does all browser engines treat "\<" as "<" and "\>" as ">"?
The main point to make "<" to "\<" and ">" to ">" is to make avoid below inline script:
<script>
var foo = "</script><script>alert('bug');</script><script>"; // the value of foo is generated from server
</script>
The string value of foo is generated from server side. So, we plan to change "<" to "\<" and ">" to ">". (I know there is argument that ">" should be escaped to "& gt;", but it is not in consideration in this case.)
So, the expected result is:
<script>
var foo = "\</script\>\<script\>alert('bug');\</script\>\<script\>"; // the value of foo is generated from server
</script>
For IE7/8 and Firefox, the HTML rendering engine will not treat \<script\> in javascript string as <script> tag, and JavaScript engine still take it as string "<script>". However, I'm not sure whether all browsers treat ">" and "\<" this way. Is this kind of standard for all browsers?
Upvotes: 1
Views: 139
Answers (1)
Reputation: 245449
No, your best bet is to use > and < for the greater than and less than signs respectively.
So you'd want something like this:
var foo = "</script><script>alert('bug');</script><script>";
Upvotes: 5
Related Questions
- Why do browsers parse "<? ?>" as "<!--? ?-->"?
- Javascript: Escape <> for non-html strings, but preserve html
- How is "<" in HTML handled by browsers?
- IE11 does not escape a concatenated "<" character
- Does javascript consider everything enclosed in <> as html tags?
- Writing '<' in HTML
- Escape "<" and ">" as part of element attribute value in IE
- Could an HTML tag have < anywhere in it? (In the strings for example)
- "<" sign not showing in javascript?
- Is it necessary to "escape" character "<" and ">" for javascript string?