Hasty Briefsbeta

Bilingual

Every JavaScript bundler handles inline script tags wrong

18 hours ago
  • #Web Development
  • #HTML
  • #JavaScript
  • JavaScript can be included in web pages via external files (using <script> tag with src attribute) or inline within <script> tags.
  • Inline <script> tags are increasingly used for self-contained apps and HTML artifacts, but contain pitfalls like the string '</script>' prematurely ending the script.
  • The HTML specification includes a 'script data double escaped state' loophole where sequences like <!-- followed by <script> prevent normal script termination.
  • JavaScript build tools and minifiers often fail to correctly handle escaping of problematic strings (</script>, <!--) in literals and expressions for inline <script> tags.
  • ESBuild performs best among tested tools but still fails to escape <!-- in literals; other tools like Terser, SWC, Oxc, Bun, UglifyJS, Closure Compiler, and minify also fail in various ways.
  • No JavaScript build tool currently correctly handles all cases for inline <script> tags, highlighting the need for better awareness and handling of these edge cases.