On Sun, Sep 13, 2015 at 01:05:45PM -0400, Karl Dahlke wrote: > > Doesn't this miss the also destructive </script problem? > > Yes it does, but "</script>" does not seem to appear in the wild. > In other words, web developers and generators are careful not to crank out > the string "...</script>..." because </script> anywhere ends the script. > My parser has made this assumption for ten years, and it's pretty reliable. > > They're more than happy to write > var a = "<script>"; > but not > var a = "</script>"; > the latter often written as > var a = "</scr" + "ipt>"; > This too generates a tidy warning, because </s shouldn't appear, > or </ any letter for that matter, > but it does not cause trouble and does not derail the script. > So my early research suggests we're ok here.
Ok that makes sense. In which case I'm unclear as to why tidy5 wouldn't handle <script inside a script tag. Has anyone posted to their mailing list yet about this? Cheers, Adam.
signature.asc
Description: Digital signature
_______________________________________________ Edbrowse-dev mailing list [email protected] http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
