Document.Write script blocks are broken even with valid JS escape characters

Not reproducible Issue #15588476

Details

Author
Eric F.
Created
Jan 23, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
41.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Writing a script block via document.write will break javascript parsing.
Microsoft Edge 41.16299.15.0
Microsoft EdgeHTML 16.16299

As described in this article: http://stackoverflow.com/a/236106/1434764

The code like this is in my document header:

<script src='//kendo.cdn.telerik.com/2017.3.1026/js/jquery.min.js'></script><script>(window.jQuery &amp;&amp; window.jQuery.fn &amp;&amp; window.jQuery.fn.modal||document.write("\x3Cscript src='/js/jquery.min.js?v=MQsmocJR5HzJRBNCr_Ran7BRdSpVyWWFtXBXEJOfSbQ'\x3C/script>"));</script>

Produces the following console errors:

 HTML1423: Malformed start tag. Attributes should be separated by whitespace.
custom (27,271)

 HTML1409: Invalid attribute name character. Attribute names should not contain ("),('),(), or (=).
custom (27,271)

 HTML1422: Malformed start tag. A self closing slash should be followed by a U+003E GREATER-THAN SIGN (>).
custom (27,271)

Attachments

1 attachment

Comments and activity

  • the above code seems to have become HTML-escaped. lets try again:

  • 
    
  • please see the StackOverflow link for a better example. Attaching complex HTML+Code doesn’t seem to work here.

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi Eric,

    This site does not like inline code.  It is best to attach anything the tool might try to parse.  Similar to this issue where the CDATA field parsing can cause trouble.  :-)

    I believe these errors are due to syntax errors in the same code provided.  The contents of the document.write() call should be surrouned with single quotes in order for the double quotation marks to parse properly.  Below is the first parsing issue I see, I.e. right before the escaped ‘Less-Than Sign’ which in the example URL you gave me is using the UTF-8 (hex) representation \x3C.  This was done to avoid issues with browser’s parsing routines"

     document.write('\x3Cscript

    Also, this code would only get called if the JQuery availability checks failed.  These are the ‘||’ tests.  One reason to do this if for scenarios where a user’s internet connection is slow or not available and other polyfill situations.

    I provided an example (public-repro.zip) where I do not provide an internet version of JQuery and so the document.write() method is called and will set the HTML file to source my local version of JQuery, I.e, the fallback case is being forced to test my syntax.

    It appears that document.write() is failing out of favor for various reasons which you can read about at the following links.  I am guessing you will run into that issue next.  :)

    https://stackoverflow.com/questions/802854/why-is-document-write-considered-a-bad-practice
    https://www.chromestatus.com/feature/5718547946799104

    Hope this helps,

    Steve

  • Microsoft Edge Team

    Changed Status to “Not reproducible”

You need to sign in to your Microsoft account to add a comment.

Sign in