alert is not working

guys,

I am having a sample code. Which is not running properly. It displays "); //]]> instead of alert. My code is below.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <script type="text/javascript"> //<![CDATA[ alert("</script>"); //]]> </script> </head> <body> </body> </html>

The browser does not understand that the script tag in the alert is not the closing tag.

Instead of looking at the html code, lets look at some JavaScript.

Your problem is equivalent to

var example = 'This is Eric's example.';

See the issue there? We want the whole string, but it chops it off early at the ' after Eric and throws an error. In the case of the HTML it stops it at the script tag in the code and than renders whatever else as text on the page.

So how would be fix the JavaScript example? We would escape the '


var example = 'This is Eric\'s example.';

And it would work fine.

What we need to do for the HTML issue is to break up the script tag into two parts.

<script type="text/javascript"> //<![CDATA[ alert("</sc" + "ript>"); //]]> </script>


The browser will no longer see the closing script tag when it is rendering the page.

Eric

Eric Pascarello wrote:The browser does not understand that the script tag in the alert is not the closing tag.

Instead of looking at the html code, lets look at some JavaScript.

Your problem is equivalent to

var example = 'This is Eric's example.';

See the issue there? We want the whole string, but it chops it off early at the ' after Eric and throws an error. In the case of the HTML it stops it at the script tag in the code and than renders whatever else as text on the page.

So how would be fix the JavaScript example? We would escape the '


var example = 'This is Eric\'s example.';

And it would work fine.

What we need to do for the HTML issue is to break up the script tag into two parts.

<script type="text/javascript"> //<![CDATA[ alert("</sc" + "ript>"); //]]> </script>


The browser will no longer see the closing script tag when it is rendering the page.

Eric

You may be right. But if i remove xhtml doctype and use

<!-- alert('</script>'); //-->

It works. Now i am unable to understand what is happening here.

So you are saying you changed it to look like:

<script type="text/javascript"> <!-- alert('</script>'); //--> </script>

I would still expect issues there.

Eric Pascarello wrote:So you are saying you changed it to look like:

<script type="text/javascript"> <!-- alert('</script>'); //--> </script>

I would still expect issues there.

Remove doctype. It will work.

And what horrible browser is this?

In the end you need the doc type on the page.

Eric

Eric Pascarello wrote:And what horrible browser is this?

In the end you need the doc type on the page.

Eric

As far as i know. if you use html not xhtml. You dont need doctype. Please correct if i am wrong. Please help. If you remove doctype the code above displays alert box.