In HTML (and XHTML if you're an evil person that sends your XHTML pages as text/html
), script
tags are #CDATA
, and therefore, the only thing that you shouldn't have in the content is </script>
, as that is all that the parser looks for to signal the end of the tag. Don't escape anything; just make sure you don't have </script>
in the tag content. For example, if you have a string with a closing script tag, split it up:
var a = '</scr' + 'ipt>';
In XHTML, sent as application/xhtml+xml
, script
tags are #PCDATA
, and therefore, escaping <
and &
is necessary, unless you can use a <![CDATA[ ... ]]>
block to change to #CDATA
parsing mode, but in that case, remember that you can't have ]]>
in your tag content.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…