Small question from a rookie

Sharon

Hiya
I have a small question, I saw this piece of code somewhere (it's for
creating a customized context menu) and I was wondering: Why is it
that the STYLE and SCRIPT-tags are broken up into parts? I hope
someone can answer my question, thanks! Sharon

html+='<TABLE STYLE="border:1pt solid #808080" BGCOLOR="#CCCCCC"
WIDTH="140" HEIGHT="220" CELLPADDING="0" CELLSPACING="1">';
html+='<ST'+'YLE TYPE="text/css">\n';
html+='a:link {text-decoration:none;font-family:Arial;font-size:8pt;}\n';
html+='a:visited {text-decoration:none;font-family:Arial;font-size:8pt;}\n';
html+='td {font-size:8pt;}\n';
html+='</ST'+'YLE>\n';
html+='<SC'+'RIPT LANGUAGE="JavaScript">\n';
html+='\n<'+'!--\n';
html+='window.onerror=null;\n';
html+='/'+' -'+'->\n';
html+='</'+'SCRIPT>\n';
html+='<TR><TD STYLE="border:1pt solid #CCCCCC"
ONMOUSEOVER="this.style.background=\'#CFD6E8\';thi s.style.border=\'1pt
solid #737B92\';" ONMOUSEOUT="this.style.background=\'#CCCCCC\';this .style.border=\'1pt
solid #CCCCCC\';" ONCLICK="window.history.go(-1);"> Filter op:'+
Value + '</TD></TR>';
html+='</TABLE>';

Jul 23 '05 #1

Subscribe Post Reply

1239

Klaus Johannes Rusch

Sharon wrote:

I have a small question, I saw this piece of code somewhere (it's for
creating a customized context menu) and I was wondering: Why is it
that the STYLE and SCRIPT-tags are broken up into parts?

Some browsers would take any occurance of "<script" as the start tag of
another script and assume that the previous script element had not been
closed.

Writing "<script" as "<sc" + "ript" (or similar) stops browsers from
incorrectly interpreting the element in the Javascript code.

--
Klaus Johannes Rusch
Kl********@atmedia.net
http://www.atmedia.net/KlausRusch/

Jul 23 '05 #2

Richard Cornford

Sharon wrote:

I have a small question, I saw this piece of code somewhere
(it's for creating a customized context menu)
Test that with an Opera browser and it might not seem like such a good
idea.
and I was wondering: Why is it
that the STYLE and SCRIPT-tags are broken up into parts?
The script tags are broken into parts because when a browser encounters
a script element on a page it needs to know how much of what follows to
send to the javascript interpreter; it needs to know where the closing
SCRIPT tag is, so it looks for one. But HTML parsers don't understand
javascript (just HTML) so when they see - "</script>" - in a javascript
string they assume that it represents the end of the SCRIPT element.

They send everything before the "</script>" to the javascript
interpreter, which errors with an unterminated string, and treat
everything that follows as page content. Bad news and best avoided.

The reason STYLE tags (and opening script tags) are also broken in this
script is that whoever wrote it didn't understand what they were doing,
or why, and resorted to programming by mystical incantation to deal with
a problem that they had perceived by misidentified.

In practice it is only necessary to prevent the HTML parser from
recognising the closing script tag but string concatenation is not the
best way of doing so as it is a relatively heavyweight operation and
unnecessary. Inserting a javascript escape character "\" into the
sequence "</script>" would render it unrecognisable as a closing script
tag to the HTML parse.

However, by HTML specification the closing script tag is not the only
one that should cause problems, though browsers seem to be universally
implemented such that it is. Theoretically the character sequence "</"
alone should mark the end of any script element so it is that sequence
that needs to be unrecognisable within javascript strings to truly
achieve safety.

<snip> html+='</'+'SCRIPT>\n';

^^
<snip>

That is usually done by inserting the javascript escape character
between the two to produce "<\/". And it should be done to any closing
HTML tag appearing in a javascript string on an HTML page (imported
javascript does not have this problem because it is never looked at by
the HTML parser). The obscured closing script tag would become
"<\/script>".

Richard.

Jul 23 '05 #3

Lee

Sharon said:

Hiya
I have a small question, I saw this piece of code somewhere (it's for
creating a customized context menu) and I was wondering: Why is it
that the STYLE and SCRIPT-tags are broken up into parts? I hope
someone can answer my question, thanks! Sharon

A web page is parsed by a routine that knows how to
parse HTML code, looking for tags like <SCRIPT> and
<STYLE> and when it finds a <SCRIPT> tag, it passes
the contents off to a separate routine to interpret
the script.

The author was worried that the HTML parser would be
confused by HTML tags inside the <SCRIPT> tag.

Jul 23 '05 #4

Lasse Reichstein Nielsen

Klaus Johannes Rusch <Kl********@atmedia.net> writes:

Some browsers would take any occurance of "<script" as the start tag
of another script and assume that the previous script element had not
been closed.

Do you have an example of any browser that works like that?

AFAIK, the only problem is with the first occurence of "</" after a
"<script>" tag marking the end of the script (in practice browsers
only end it at "</script"). The solution recommended in the HTML
specification is to write "<\/" instead of "</". It results in the
same Javascript string value, but is not parsed the same by the
HTML parser.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Jul 23 '05 #5

Klaus Johannes Rusch

Lasse Reichstein Nielsen wrote:

Do you have an example of any browser that works like that?

AFAIK, the only problem is with the first occurence of "</" after a
"<script>" tag marking the end of the script (in practice browsers
only end it at "</script"). The solution recommended in the HTML
specification is to write "<\/" instead of "</". It results in the
same Javascript string value, but is not parsed the same by the
HTML parser.

Casual testing on a few browsers did not show any problems with the
start tag so you are probably right that only the end tag needs to be
modified, although it doesn't hurt (except for the few extra bytes) to
split both the start and the end tag, just in case :-)

"<\/script>" works just as well of course.

--
Klaus Johannes Rusch
Kl********@atmedia.net
http://www.atmedia.net/KlausRusch/

Jul 23 '05 #6

Thomas 'PointedEars' Lahn

Richard Cornford wrote:

Sharon wrote:
and I was wondering: Why is it that the STYLE and SCRIPT-tags are
broken up into parts?
The script tags are broken into parts because when a browser
encounters a script element on a page it needs to know how much of
what follows to send to the javascript interpreter; it needs to know
where the closing SCRIPT tag is, so it looks for one. But HTML
parsers don't understand javascript (just HTML) so when they see -
"</script>" - in a javascript string they assume that it represents
the end of the SCRIPT element.

They send everything before the "</script>" to the javascript
interpreter, which errors with an unterminated string, and treat
everything that follows as page content. Bad news and best avoided.

It is not only "</script>" that causes problems and not only the
SCRIPT element where this peculiarity of HTML/SGML should be watched
for.
The reason STYLE tags (and opening script tags) are also broken in
this script is that whoever wrote it didn't understand what they were
doing, or why, and resorted to programming by mystical incantation to
deal with a problem that they had perceived by misidentified.

For an SGML parser (that should be used for HTML as HTML is an SGML
application), *any* ETAGO (End TAG Open) delimiter ("</") is considered
the end of CDATA (a start tag of an element should not; if it is, it
would be borken parser behavior). The contents of the HTML[1] SCRIPT
element is defined as CDATA (character data; opposed to PCDATA -- parsed
character data), so *every* ETAGO delimiter (including those of end tags
of other elements than the SCRIPT element) in it must be escaped (using
the means the embedded language provides; in ECMAScript/J[ava]Script
that is string splitting or, better in string literals, string escaping)
to prevent the element from ending to early. However, the end tags have
been splitted at exactly the wrong place here.
PointedEars
___________
[1] That is different in XHTML, where it is defined as PCDATA, so you
are wise to use a <![CDATA[ ... ]]> declaration there for parts
that should not be parsed by the XML parser (e.g.: "y=x&°
=°=> y=x&°;"); usually you would (re-)declare the whole script
as CDATA.

Jul 23 '05 #7

Richard Cornford

Thomas 'PointedEars' Lahn wrote:

Richard Cornford wrote: <snip>
They send everything before the "</script>" to the javascript
interpreter, which errors with an unterminated string, and
treat everything that follows as page content. Bad news and
best avoided.

It is not only "</script>" that causes problems and not

^^^^^^ only the SCRIPT element where this peculiarity of HTML/SGML
should be watched for.
When you write "causes" you are implying that you are aware of a browser
which does follow the letter of the HTML specification. If so you should
name it because all previous discussion on this subject has failed to
reveal a single instance of a web browser that is interested in any
closing tag other than </script> within a javascript string.

The reason STYLE tags (and opening script tags) are also
broken in this script is that whoever wrote it didn't
understand what they were doing, or why, and resorted
to programming by mystical incantation to deal with a
problem that they had perceived by misidentified.

For an SGML parser (that should be used for HTML as HTML
is an SGML application), *any* ETAGO (End TAG Open) delimiter
("</") is considered the end of CDATA (a start tag of an element
should not; if it is, it would be borken parser behavior).

Why have you cut the sections of my original post that said:-

| However, by HTML specification the closing script tag is not
| the only one that should cause problems, though browsers seem
| to be universally implemented such that it is. Theoretically
| the character sequence "</" alone should mark the end of any
| script element so it is that sequence that needs to be
| unrecognisable within javascript strings to truly achieve
| safety.

- and -

| That is usually done by inserting the javascript escape character
| between the two to produce "<\/". And it should be done to any
| closing HTML tag appearing in a javascript string on an HTML page
| (imported javascript does not have this problem because it is never
| looked at by the HTML parser). The obscured closing script tag
| would become "<\/script>".

- and then re-produced essentially the same information if a form that
appears to be intended as a correction?
The contents of the HTML[1] SCRIPT element is
defined as CDATA (character data; opposed to PCDATA -- parsed
character data), so *every* ETAGO delimiter (including those of end
tags of other elements than the SCRIPT element) in it must be escaped

<snip> ^^^^

"Must" implies necessity and without a single browser actually caring
about closing tags other than </script> there is no necessity. The most
that can be accurately said is "should" (and then it should be done out
of a desire for valid HTML). Though there doesn't seem much point in
saying anything when it has already been said in the post you are
replying to (and a couple of others in this thread).

Richard.

Jul 23 '05 #8

Similar topics

Rookie Speaks

by: William S. Perrin | last post by:

I'm a python rookie, anyone have and suggestions to streamline this function? Thanks in advance..... def getdata(myurl): sock = urllib.urlopen(myurl) xmlSrc = sock.read() sock.close() ...

Python

Usage example for ANSI.py from the pexpect package

by: Eric Myers | last post by:

Hello folks: (This message is also posted on the help forum at the pexpect sourceforge page, but all indentation in the code got stripped away when I submitted the post.) For some time I've...

Python

HELP!! HOW TO CALL A DTS PACKAGE FROM A STORED PROC

by: Cox News Server | last post by:

I'm a rookie with MSSQL. I need to run a DTS package to export a result set to an MX Excel spread sheet. I need to call the DTS from a stored procedure and pass it three values, depending on the...

Microsoft SQL Server

Incrementing number in a column -- rookie sql user

by: bigjmt | last post by:

Sorry to bother you guys with what I though would be an easy task. I have a table in my database were I would like one of the rows to increment a number for each row. I want the first row to start...

Microsoft SQL Server

Rookie Question: Need a Script To Count How Many Days Have Passed Since January 1, 1970

by: Tom | last post by:

Please help. I need a quick little scrpit to place on a web page that will count how many days have passed since January 1, 1970. I have ZERO experience writing ANY scripts. Anyone have any...

Javascript

can't send Email from Access

by: Tom | last post by:

It wont let me send an email from access comes up with error msg. "Microsoft Access can't open mail session" What could it be? JS

Microsoft Access / VBA

Importing a DLL class (class exported from a VC++ DLL)

by: Rookie | last post by:

Hi, I have a DLL written in VC++ which exports a class. I want to import this class into a C# application and be able to instantiate it in the C# code. Is it possible to do this? If yes, is...

C# / C Sharp

aspx rookie

by: Dst | last post by:

Hi i'm trying to make a very simple web site using visual studio 2005. I'm completely noob at this so i need some pointers to get me started. As i understand frames should not be used in...

ASP.NET

Temperature Conversion Program - Still a Rookie

by: AsheeG87 | last post by:

Hey Everyone~ I'm still a C++ Rookie so please bear with me on this. I'm doing a temperature conversion program with prototype functions. Basicly, I was wondering if some of you would take a look...

C / C++

Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"

by: taylorcarr | last post by:

A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...

General

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

C / C++