Merge pull request #216 from funklos/patch-1

close #204 Escaping script tags
zloirock · Jul 9, 2016 · 70f0841 · 70f0841
2 parents 60a946b + 3ff99ed
commit 70f0841
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/modules/_object-create.js b/modules/_object-create.js
@@ -11,6 +11,7 @@ var createDict = function(){
   // Thrash, waste and sodomy: IE GC bug
   var iframe = require('./_dom-create')('iframe')
     , i      = enumBugKeys.length
+    , lt     = '<'
     , gt     = '>'
     , iframeDocument;
   iframe.style.display = 'none';
@@ -20,7 +21,7 @@ var createDict = function(){
   // html.removeChild(iframe);
   iframeDocument = iframe.contentWindow.document;
   iframeDocument.open();
-  iframeDocument.write('<script>document.F=Object</script' + gt);
+  iframeDocument.write(lt + 'script' + gt + 'document.F=Object' + lt + '/script' + gt);
   iframeDocument.close();
   createDict = iframeDocument.F;
   while(i--)delete createDict[PROTOTYPE][enumBugKeys[i]];
@@ -37,4 +38,4 @@ module.exports = Object.create || function create(O, Properties){
     result[IE_PROTO] = O;
   } else result = createDict();
   return Properties === undefined ? result : dPs(result, Properties);
-};
+};