-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 12, 2016 at 10:23:20PM +0200, Jakub Jankiewicz wrote:
[...] > I've commented out (#\" . "quot") in alist->hash-table and it work. thanks > for your help. I wised up a bit, to get an idea on how it's supposed to work (if there's such a thing on the Internet ;-) and found out: - in XHTML, the content of the script tag is parsed character data (#PCDATA). This means that entities (" and so on) *will be parsed and substituted*. Not so for HTML: there it's raw character data (#CDATA), and no entity substitution is supposed to happen [1] So your approach goes in the right direction. When outputting HTML, no substitution is supposed to be done (no " and no < and so on). - But how you keep your thing from tripping over some nasty </script> deeply embedded in the javascript text, then? The very readable [2] suggests: don't do it, then. That means: munge the javascript until it doesn't contain that nastygram. E.g. var nasty="</script\>"; Whee. Looks kinda cool, somehow. (that means you can only automate this task if you manage to kinda half-parse the provided javascript thing, right? But perhaps one can prove that "</" isn't a valid sequence in javascript outside a string literal?). Hope you enjoyed that ;-) [1] http://www.w3schools.com/tags/tag_script.asp [2] http://jibbering.com/faq/faq_notes/script_tags.html - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAleGEJkACgkQBcgs9XrR2kZxlgCfR+ypMDs0oAeT/G5NbGnqw0Ib 2Y0An3Ll/SbA8QH7V88u965pXVj9Ovfu =2Ow0 -----END PGP SIGNATURE-----
