Fix style / script parsing #1445
Milestone
Comments
exyi
added a commit
that referenced
this issue
Dec 28, 2024
In HTML, the content of <script> and <style> tags should not be parsed as HTML, the parser should simply look for the end tag. This eliminates the need to HTML-encode all `<` operators (or even HTML inlined in string literals). To align dothtml and HTML, the patch implements this behavior in dothtml. The change may easily break someone's code, if they already have a script element with entities like <, so it is possible to configure which tags will be parsed as "raw text". By default, it is script, style and also dot:InlineScript and dot:HtmlLiteral (as suggested in #1428). This setting is up for debate. resolves #1445
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
styleandscripttags have special treatment in HTML - they contain verbatim text, not any nested elements. We should parse the contents as an unencoded text, simply looking for end:<script\b(case insensitive).We need to do this in a major version, since it's a breaking change (for example, someone may rely on {{resource:X}} working in script).
We should consider giving the same parsing exception to
dot:InlineScriptThe text was updated successfully, but these errors were encountered: