科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - "%3Cscript" vs "<script" - Stack Overflow

    javascript - "%3Cscript" vs "<script" - Stack Overflow

    programmeradmin1浏览0评论

    Every once in a while, I'll see an HTML code snippet with:

    %3Cscript

    where the %3C replaces the <. Is this because the code was auto-generated or needs to display properly in an editor or was it coded that way explicitly for some reason and needs to keep that form on the HTML webpage? In case it is helpful here is the full beginning of the line of code I was questioning:

    document.write(unescape('('%3Cscript

    Wouldn't the line of code work just fine it you replaced the %3C with a <?

    Every once in a while, I'll see an HTML code snippet with:

    %3Cscript

    where the %3C replaces the <. Is this because the code was auto-generated or needs to display properly in an editor or was it coded that way explicitly for some reason and needs to keep that form on the HTML webpage? In case it is helpful here is the full beginning of the line of code I was questioning:

    document.write(unescape('('%3Cscript

    Wouldn't the line of code work just fine it you replaced the %3C with a <?

    • javascript
    • special-characters
    Share Improve this question edited Dec 7, 2012 at 21:27 Oded 499k102 gold badges893 silver badges1k bronze badges asked Dec 7, 2012 at 21:26 Ken BooneKen Boone 1532 silver badges10 bronze badges
    Add a ment  | 

    3 Answers 3

    Reset to default 3

    The unescape() Javascript function converts the %3C back to < before it gets written into the document. This is apparently an attempt to avoid triggering scanners that might see the literal <script tag in the source and misinterpret what it means.

    When writing javascript in a script tag embedded in html, the sequence </script> cannot appear anywhere in the script because it will end the script tag:

    <script type="text/javascript">
    var a = "<script>alert('hello world');</script>";
</script>

    Is more or less treated as:

    <script type="text/javascript">
    var a = "<script>alert('hello world');
</script>
";
<script></script>

    In the eyes of the html parser.

    Like mplungjan said, this is convoluted way and one can simply <\/script> in a javascript string literal to make it work:

    <script type="text/javascript">
    var a = "<script>alert('hello world');<\/script>";
</script>

    This is not related to document.write technically at all, it's just that document.write is a mon place where you need "</script>" in javascript string literal.

    Also note that "<script>" is indeed totally fine as is. It's just the "</script>" that's the problem which you have cut out from the code.

    As mentioned, possible attempt to fool scanners.

    A more useful and important one is the <\/script> or '...<scr'+'ipt>' needed to not end the current script block when document.writing a script inline

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论