</script> in string literals is not escaped for embedding elm.js directly in HTML

[mkoppmann]

The Elm runtime crashes when </script> is used. Other XSS examples are correctly encoded.

Minimal example:

import Html exposing (text)
main = text "</script>"

Result:

_Platform_export({'Main':{'init':_VirtualDom_init($author$project$Main$main)(0)(0)}});}(this));

  var app = Elm.Main.init({ node: document.getElementById("elm") });
}
catch (e)
{
  // display initialization errors (e.g. bad flags, infinite recursion)
  var header = document.createElement("h1");
  header.style.fontFamily = "monospace";
  header.innerText = "Initialization Error";
  var pre = document.getElementById("elm");
  document.body.insertBefore(header, pre);
  pre.innerText = e;
  throw e;
}

Working example:

import Html exposing (text)
main =  text "<a href=\"javascript://%0Aalert('XSS');\">XSS</a>"

Result (correctly encoded):

<a href="javascript://%0Aalert('XSS');">XSS</a>

This happens in the Elm Playground, with elm reactor or builds created by elm make.

User input is also correctly encoded. This happens only for </script> when it’s used at compile-time.