Closed jcubic closed 2 years ago
I've ran into this issue over the years too. Your best bet might be to try to escape some characters to avoid such parsing, but it's definitely a bug in web-mode
.
</script>
cannot be stored as a string within Browser engines, https://jsfiddle.net/nwz7bkfd/ for a web poc, but it also fails when served / accessed natively.
You can work around the issue by using const script = '</' + 'script>';
. However, I'd suggest that you should avoid dynamically generated JavaScript, as it can lead to XSS and probably RCE in node-land. A better approach would be to use static JavaScript coupled with JSON blobs for dynamic content.
@YoloClin I'm generating HTML code that includes external dependencies for my JavaScript playground. It seems that you're right, I didn't check if it works, I completely forget that this syntax is invalid.
I have this code:
And this closes the beginning of the script even though it's inside a string.
I'm not sure how hard it would be to handle this case. I'm not able to find a similar issue.