Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Problems with <pre> tag and injected script

See original GitHub issue

Issue details

In my HTML I have <pre><code>some code</code></pre>. Additionally I am using Vue.js which does not allow <script> tags inside document body .

For some reason I do not understand and found response yet, browser sync seems to inject a script tag into the first pre tag is found.

The script tag looks like this:

<script id="__bs_script__">//<![CDATA[
--
  | document.write("<script async src='/browser-sync/browser-sync-client.js?v=2.18.13'><\/script>".replace("HOST", location.hostname));
  | //]]></script>

Now, I cannot be sure if it is a bug or a feature, but this is causing me issues specifically with Vue.js (and probably with some other JS frameworks).

Steps to reproduce/test case

Create an HTML document which includes <pre> tags un the body (at least one). Load that HTML document using BrowserSync, this will result in a script inserted just before the <pre> close tag.

Please specify which version of Browsersync, node and, npm you’re running

Browsersync [2.18.13 ]
Node [8.9.1]
Npm [5.5.1]

Affected platforms

Windows 10 64 bit

Issue Analytics

State:
Created 6 years ago
Reactions:4
Comments:5

Top GitHub Comments

3reactions

rdelafuentecommented, Mar 28, 2019

Use this:

snippetOptions: {
    rule: {
      match: /<\/body>/i
    }
}

1reaction

fitztrevcommented, Sep 20, 2019

@JuanDMeGon yes. Laravel-Mix has a custom regex rule for browsersync to </pre> tags.

https://github.com/JeffreyWay/laravel-mix/blob/d432101c23198252e3952d8d89ee246d209265a8/src/components/Browsersync.js#L53

I have a PR to fix because I’ve run into the same issue: https://github.com/JeffreyWay/laravel-mix/pull/2227

Top Results From Across the Web

How is it possible that a <script> tag was injected, but not ...

1 Answer 1 · CSP: Check headers and meta tags. · Browser XSS filter: Only an issue if you are doing reflected XSS....

Thwarting XSS using dynamic pre tags - Stack Overflow

Anyway, I tried to inject with </pre><script>alert("XSS");</script><pre> , but it successfully thwarted the attempt and displayed the code ...

Script-injected "async scripts" considered harmful - igvita.com

Script -injected "async scripts" considered harmful. By Ilya Grigorik on May 20, 2014. Synchronous scripts are bad because they force the ...

5 ways to prevent code injection in JavaScript and Node.js

Use a Node.js security linter; Use a static code analysis (SCA) tool to find and fix code injection issues. 1. Avoid eval ...

Exploiting script injection flaws in ReactJS apps - Medium

ReactJS is a popular JavaScript library for building user interfaces. ... Script injection issues can result from bad programming practices ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Problems with <pre> tag and injected script

Issue details

Steps to reproduce/test case

Please specify which version of Browsersync, node and, npm you’re running

Affected platforms

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

"File changed" HTML notification no longer appears after upgrading browser-sync version

Very slow page (re-)load/injection on localhost:3000 TTFB of around 5s