Last active
October 4, 2016 17:33
-
-
Save mk-pmb/f884b0a11f72ef5b92212dd7bc54ecc1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| doctype html | |
| html | |
| head | |
| meta( http-equiv="Content-Type" content="text/html; charset=UTF-8" ) | |
| - var pageTitle = 'Complicated ways to write numbers' | |
| title= pageTitle | |
| meta( http-equiv="Content-Script-Type" content="text/javascript" ) | |
| body.page.screen | |
| h2= pageTitle | |
| script. | |
| 'use strict'; | |
| console.log("42 + 1 =", ("<!CDATA[[ </script> ]]>" + ((+(0</script>/) | |
| < '<!-- derp -->'.length) && "<script><!CDATA[[]]>")).length); | |
| script | |
| :cdata | |
| 'use strict'; | |
| console.log("42 + 1 =", ("<!CDATA[[ </script> ]]>" + ((+(0</script>/) | |
| < '<!-- derp -->'.length) && "<script><!CDATA[[]]>")).length); | |
| script | |
| :cdata-js | |
| 'use strict'; | |
| console.log("42 + 1 =", ("<!CDATA[[ </script> ]]>" + ((+(0</script>/) | |
| < '<!-- derp -->'.length) && "<script><!CDATA[[]]>")).length); | |
| script | |
| :escape-html | |
| 'use strict'; | |
| console.log("42 + 1 =", ("<!CDATA[[ </script> ]]>" + ((+(0</script>/) | |
| < '<!-- derp -->'.length) && "<script><!CDATA[[]]>")).length); |
The new one is even more evil. I hope pug can soon help me escape that properly!
PS: If anyone wonders why Firefox stops at </script> even though it's properly XML-escaped inside a CDATA section: Because that only applies to XML, not HTML.
Since the CDATA has no effect in HTML, updated to include a comment, too.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nice html