Every JavaScript bundler handles inline script tags wrong
19 hours ago
- #Web Development
- #HTML
- #JavaScript
- JavaScript can be included in web pages via external files (using <script> tag with src attribute) or inline within <script> tags.
- Inline <script> tags are increasingly used for self-contained apps and HTML artifacts, but contain pitfalls like the string '</script>' prematurely ending the script.
- The HTML specification includes a 'script data double escaped state' loophole where sequences like <!-- followed by <script> prevent normal script termination.
- JavaScript build tools and minifiers often fail to correctly handle escaping of problematic strings (</script>, <!--) in literals and expressions for inline <script> tags.
- ESBuild performs best among tested tools but still fails to escape <!-- in literals; other tools like Terser, SWC, Oxc, Bun, UglifyJS, Closure Compiler, and minify also fail in various ways.
- No JavaScript build tool currently correctly handles all cases for inline <script> tags, highlighting the need for better awareness and handling of these edge cases.