On Thu, Jan 22, 2009 at 3:28 PM, Lev Epshteyn <[email protected]> wrote:
> Well, it's Shindig that takes a separate .js file where this is not an > issue, and puts its contents into an inline script block. > > It's my understanding that not only OpenSocial features, but also > third-party JS libraries can be inlined this way, so we can't rely on the > JS > author being conscious of the possibility that their code will get so > included and avoiding this problem string. Your understanding is incorrect. We only inline shindig feature javascript. > At first, I had thought that simply enclosing the script content in a CDATA > block would solve the issue, but that doesn't seem to be the case. That would only work if the gadget was served as XHTML. Since internet explorer still does not support XHTML, this isn't an option. Always escape forward slashes. > > > On Thu, Jan 22, 2009 at 6:06 PM, Kevin Brown <[email protected]> wrote: > > > On Thu, Jan 22, 2009 at 2:46 PM, Lev Epshteyn <[email protected]> wrote: > > > > > I found a strange bug in shindig while adding a checkbox to sample > > > container > > > to support non-minified JS output. > > > > > > In the templates feature JS, some of our comments include usage > examples, > > > which contain the string "</script>". > > > > > > This is not a problem for a .js file, but when Shindig inlines this > > content > > > into a <script> block, the string causes all sorts of havoc in the > > browser, > > > causing it to terminate the script block prematurely. > > > > > > While this isn't an issue in minified mode, where comments get stripped > > > off, > > > I am wondering if the problem can also occur if I have a closing script > > tag > > > inside a string literal. I haven't actually tested this, so it's > entirely > > > possible that Shindig is smart enough to handle this edge case. > > > > > > This isn't a "shindig bug", it's a well known browser limitation. Always > > escape the string "</script>" as "<\/script>" in javascript. Contrary to > > common belief, you don't need to do bizarre things like concatenating > <scr > > and ipt>. Simply escaping the forward slash is sufficient. > > >
