secure embedded JS

lichess-org · May 12, 2016 · bcfc2b4 · bcfc2b4
1 parent cc412e6
commit bcfc2b4
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/app/templating/AssetHelper.scala b/app/templating/AssetHelper.scala
@@ -93,6 +93,9 @@ trait AssetHelper { self: I18nHelper =>
     s"""<script src="${static.fold(staticUrl(path), path)}?v=$assetVersion"></script>"""
   }
 
-  def embedJs(js: String): Html = Html(s"""<script>/* <![CDATA[ */ $js /* ]]> */</script>""")
+  def embedJs(js: String): Html = Html {
+    val escaped = js.replace("</script", "<|script")
+    s"""<script>$escaped</script>"""
+  }
   def embedJs(js: Html): Html = embedJs(js.body)
 }