Hi all,

I recently discovered that the HTML spec explicitly has a double escape state within a script tag wherein closing script tags are ignored. But I haven't been able to track down why this exists in any archives.

I don't think many people on the web are escaping it well, so I'd imagine it can be "dangerous" (the rest of the page gets swallowed by the script tag, so the document just ends there - no lasting damage, but not great behavior).

The gist is that if you are in a <script> tag and come across <!-- followed at some point by <script> again, then the next </script> is ignored, unless you leave comment mode -->. So some examples:

<script>"<!--"</script> - FINE
<script>"<script>"</script> - FINE
<script>"<!-- <a>"</script> - FINE
<script>"<!-- <script> -->"</script> - FINE
<script>"<!-- <\script>"</script> - FINE
<script>"<!-- <script>"</script> - BAD, we're actually still inside the script tag

I can't find any reference to escaping this well on stackoverflow. I've mostly seen people saying that just escaping closing tags would be fine (e.g. "<\/script>"), which is apparently untrue.

I'm sure there is a great reason for this to exist, and if anyone knows the rationale I'd love to hear it to better understand the parser.

Related, if anyone knows an actual safe full answer for escaping JS strings inlined in HTML (is it just this and script end tags?) I'd love to hear about it!

Thanks for any help!