Given other questions on the same topic I feel I understand the apparent justifications for concatenating the <script> tag as '<scr'+'ipt..' in a javascript string, even if this itself is misguided.
However, looking at the code for the Instapaper bookmarklet I see d.createElement('scr' + 'ipt'). The relevant part of the code (beautified) is at the end of the question.
Even if this (anti-)pattern is to avoid the HTML parser balking at the markup after the occurrence of the closing <script> tag within a javascript string, I can see even less justification for doing it here given the concatenated text does not even represent a <script> tag.
In this case, is this done for some other reason?
javascript: function iprl5() {
var d = document,
z = d.createElement('scr' + 'ipt'), //???
b = d.body,
l = d.location;
It is silly to escape
"<script>"as it will not be parsed as tag inside a script block* and it is even sillier to treat"script"as special. It’s not. It lacks either a<or</, without which it will never be parsed as a tag — in any context. Thusf("script")andf("scr"+"ipt")have identical semantics.Technically in HTML, all
</in a script block need to be guarded against, but in practice browsers only care about</script>. Because of this,"<"+"/script>"is what I recommend, but that applies only to closing tags. That is,"<script>"(or"script"as the case may be) is perfectly valid inside a script block.Happy coding.
*By a compliant HTML parser: however, hand-rolled (regex) parsing may explode in terrible ways. The XML/XHTML rules are different, but then the
<needs to be encoded for those to be well-formed anyway … perhaps some obscurities with CDATA? In any case, it is irrelevant to HTML.Also, the linked answers do not argue for
"<scr"+"ipt.."(or subsets like"scr"+"ipt"): instead, they argue for guarding against the closing script-tag construct, which begins with</, that is not even present in the code in the post…