Unterminated "<script>" inside strings in injected javascript makes HTML invalid

[stiboost]

Testing this with a React application.

There's the following line in the built HTML which breaks the page:

...else{switch(o=n.nodeType===9?n:n.ownerDocument,e===ls&&(e=mc(i)),e===ls?i==="script"?(e=o.createElement("div"),e.innerHTML="<script></script>",e=e.removeChild(e.firstChild))...

The part with e.innerHTML="<script></script>" breaks the page and the rest of the javascript is rendered as text on the page.

I've checked the application code and I don't do this anywhere.

Only code that is similar is this little snippet:

  return new Promise((resolve) => {
    const scriptEl = document.createElement('script');
    scriptEl.src = url;
    scriptEl.onload = () => resolve();
    document.body.appendChild(scriptEl);
  });

Is this some optimization vite does, that it changes createElement calls into innerHTML?

[richardtallent]

Interesting. This naive issue could be fixed by adjusting the regex that looks for the script tag. I can look at it when I return after Sept. 8. A reproduction repo would be appreciated, as I don't use React.

[richardtallent]

Closed, no reproduction.