Long story short, unlike any other HTML tag, <script> implies different rules of escaping its content. The proper escaping is unreasonably difficult and can even be impossible under certain circumstances.

The problems with escaping often make the <script> element a source of vulnerabilities.

Instead of following uncertain rules, you can use <safescript> which follows regular HTML escaping rules via HTML entities.

For example, your EJS template could look like this:

<script>
  window.__INITIAL_STATE__ = <%- JSON.stringify(initialState) %>;
</script>

Which then makes your HTML look like that:

<script>
  window.__INITIAL_STATE__ = {
    "user": {
      "name": "</script><script>alert(document.location)</script>"
    }
  };
</script>

The valid JavaScript code above is not so valid from the HTML specs perspective: it contains a vulnerability.

With <safescript>, you must escape every special HTML character with a respective HTML entity. But once you do it, you can be sure all the script content will be decoded correctly.

To install SafeScript, simply run:

$ npm install safescript

Then, use <safescript> in the same manner as <script>:

<script src="./node_modules/safescript/index.js"></script>
<safescript>
  window.__INITIAL_STATE__ = <%= JSON.stringify(initialState) %>;
</safescript>

And here is how your actual HTML will look like:

<script src="./node_modules/safescript/index.js"></script>
<safescript>
  window.__INITIAL_STATE__ = {
    &#34;user&#34;: {
      &#34;name&#34;:&#34;&lt;/script&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;&#34;
    }
  };
</safescript>

FAQs

What is safescript?

Is safescript well maintained?

Package last updated on 11 May 2018

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install