Loading ...
Sorry, an error occurred while loading the content.

Unexpected '\'. in a String literal

Expand Messages
  • ia_perdomo
    Hi, It seems that this String literal a valid JavaScript code: var s = ; But JSLint reports: Problem at line 1 character 11: Unexpected . In tested
    Message 1 of 8 , May 20, 2011
    • 0 Attachment
      Hi,

      It seems that this String literal a valid JavaScript code:

      var s = '\>';

      But JSLint reports:
      Problem at line 1 character 11: Unexpected '\'.

      In tested several JavaScript implementation: Chrome, Firefox, Internet Explorer, Opera, Rhino, and the value of s is '>';

      The ECMAScript-262 3rd and 5th edition says:

      The CV of CharacterEscapeSequence :: NonEscapeCharacter is the CV of the NonEscapeCharacter.

      Meaning that: '\>' is '>' ?

      Can you comment why JSLint is reporting Unexpected '\' ?
    • John Hawkinson
      ia_perdomo wrote on Fri, 20 May 2011 ... JSLint realizes that if you put a backslash before a character that does not require it,
      Message 2 of 8 , May 20, 2011
      • 0 Attachment
        ia_perdomo <ivan.perdomo.hn@...> wrote on Fri, 20 May 2011
        at 18:12:21 -0000 in <ir6au5+5iui@...>:


        > var s = '\>';
        > Can you comment why JSLint is reporting Unexpected '\' ?

        JSLint realizes that if you put a backslash before a character that
        does not require it, you have probably made a mistake. Since putting a
        backslash before an arbitrary character may turn out to have a special
        meaning (that is not the character! E.g. \n), you should not use
        backslashes unless you need them.

        Is there a reason why you want to have a backslash here?

        --jhawk@...
        John Hawkinson
      • Douglas Crockford
        ... Yes. The in that position is necessary.
        Message 3 of 8 , May 20, 2011
        • 0 Attachment
          --- In jslint_com@yahoogroups.com, "ia_perdomo" <ivan.perdomo.hn@...> wrote:
          >
          > Hi,
          >
          > It seems that this String literal a valid JavaScript code:
          >
          > var s = '\>';
          >
          > But JSLint reports:
          > Problem at line 1 character 11: Unexpected '\'.

          > Can you comment why JSLint is reporting Unexpected '\' ?

          Yes. The \ in that position is necessary.
        • Erik Eckhardt
          If you truly need the backslash, doesn t this work? var s = ; ... [Non-text portions of this message have been removed]
          Message 4 of 8 , May 20, 2011
          • 0 Attachment
            If you truly need the backslash, doesn't this work?

            var s = '\\>';

            On Fri, May 20, 2011 at 11:17 AM, John Hawkinson <jhawk@...> wrote:

            >
            >
            > ia_perdomo <ivan.perdomo.hn@...> wrote on Fri, 20 May 2011
            > at 18:12:21 -0000 in <ir6au5+5iui@...>:
            >
            > > var s = '\>';
            >
            > > Can you comment why JSLint is reporting Unexpected '\' ?
            >
            > JSLint realizes that if you put a backslash before a character that
            > does not require it, you have probably made a mistake. Since putting a
            > backslash before an arbitrary character may turn out to have a special
            > meaning (that is not the character! E.g. \n), you should not use
            > backslashes unless you need them.
            >
            > Is there a reason why you want to have a backslash here?
            >
            > --jhawk@...
            > John Hawkinson
            >
            >
            >


            [Non-text portions of this message have been removed]
          • ia_perdomo
            ... I m generating JavaScript code with a template engine [1] and checking the resulting JS code with JSLint. It escapes the character to avoid a
            Message 5 of 8 , May 20, 2011
            • 0 Attachment
              > Is there a reason why you want to have a backslash here?
              >

              I'm generating JavaScript code with a template engine [1] and checking the resulting JS code with JSLint. It escapes the '>' character to avoid a '</script>' [2]

              [1] http://freemarker.org/
              [2] http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string

              Thanks for your reply.

              Iván
            • ia_perdomo
              ... I guess that you meant unnecessary :)
              Message 6 of 8 , May 20, 2011
              • 0 Attachment
                > > Can you comment why JSLint is reporting Unexpected '\' ?
                >
                > Yes. The \ in that position is necessary.
                >

                I guess that you meant unnecessary :)
              • Rob Richardson
                An escaped is an ampersand then gt then a semicolon. will do nothing to protect you from XSS. Rob ... From: jslint_com@yahoogroups.com
                Message 7 of 8 , May 20, 2011
                • 0 Attachment
                  An escaped > is an ampersand then 'gt' then a semicolon. \> will do nothing
                  to protect you from XSS.

                  Rob


                  -----Original Message-----
                  From: jslint_com@yahoogroups.com [mailto:jslint_com@yahoogroups.com] On
                  Behalf Of ia_perdomo
                  Sent: Friday, May 20, 2011 12:55 PM
                  To: jslint_com@yahoogroups.com
                  Subject: Re: [jslint] Unexpected '\'. in a String literal




                  > Is there a reason why you want to have a backslash here?
                  >

                  I'm generating JavaScript code with a template engine [1] and checking the
                  resulting JS code with JSLint. It escapes the '>' character to avoid a
                  '</script>' [2]

                  [1] http://freemarker.org/
                  [2]
                  http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string

                  Thanks for your reply.

                  Iván
                • Erik Eckhardt
                  Blacklisting and escaping are tricky propositions when it comes to trying to avoid XSS. See http://ha.ckers.org/xss.html for an amazing treasure trove of
                  Message 8 of 8 , May 20, 2011
                  • 0 Attachment
                    Blacklisting and escaping are tricky propositions when it comes to trying to
                    avoid XSS. See http://ha.ckers.org/xss.html for an amazing treasure trove of
                    potential ways to exploit these.

                    You're much better off using a whitelist approach, which immediately
                    eliminates everything in that XSS cheat sheet.

                    On Fri, May 20, 2011 at 12:55 PM, ia_perdomo <ivan.perdomo.hn@...>wrote:

                    >
                    >
                    >
                    >
                    > > Is there a reason why you want to have a backslash here?
                    > >
                    >
                    > I'm generating JavaScript code with a template engine [1] and checking the
                    > resulting JS code with JSLint. It escapes the '>' character to avoid a
                    > '</script>' [2]
                    >
                    > [1] http://freemarker.org/
                    > [2]
                    > http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string
                    >
                    > Thanks for your reply.
                    >
                    > Iv�n
                    >
                    >
                    >


                    [Non-text portions of this message have been removed]
                  Your message has been successfully submitted and would be delivered to recipients shortly.