Geek Answers Handbook

"% 3Cscript" vs "<script"

From time to time I see a piece of HTML code with

%3Cscript

where %3C replaces < . Is it because the code was automatically generated or should be displayed properly in the editor or it was explicitly specified for some reason and should save this form on the HTML web page? In case this is useful, this is the full start of the line of code I asked:

 document.write(unescape('('%3Cscript

Will the line of code work fine, have you replaced %3C with < ?

+4
source share
3 answers

The unescape() function converts %3C back to < before it is written to the document. Apparently, this is an attempt to avoid running scanners that can see the literal <script tag in the source and misinterpret what it means.

+3
source

When writing javascript in a script tag embedded in html, the </script> sequence cannot appear anywhere in the script because it will end the script tag:

 <script type="text/javascript"> var a = "<script>alert('hello world');</script>"; </script>

More or less considered as:

 <script type="text/javascript"> var a = "<script>alert('hello world'); </script> "; <script></script>

In the eyes of the html parser.

As mplungjan said, this is confusing, and you can just <\/script> into the javascript string literal to make it work:

 <script type="text/javascript"> var a = "<script>alert('hello world');<\/script>"; </script>

This is not related to the technique of document.write at all, just document.write is the usual place where you need "</script>" in the javascript string literal.

Also note that "<script>" really great as it is. It’s just "</script>" that the problem you cut from the code.

+1
source

As already mentioned, you can try to trick scanners.

More useful and important is <\/script> or '...<scr'+'ipt>' you do not need to complete the current script block when document.writing script inline

0
source

More articles:


All Articles