--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
The "\/" quoting avoids at least one XSS. This line is valid ECMAScript:
var s = "</script><script>alert('pwned!');</script>";But if you embed that statement in HTML you have a problem: HTML doesn't know about JS string syntax, and the </script> will be interpreted as HTML."<\/script>" is equivalent from the JS perspective, but it dodges the HTML parser.