Escape content destined for a <style> tag to prevent tag breakout.
An attacker could include </style><script>... inside CSS to close
the style element and inject a script. This function replaces every
occurrence of </style (case-insensitive) with </style, which
is harmless in CSS but prevents the HTML parser from seeing a
closing </style> tag.
Parameters
css: string
The raw CSS text to sanitize.
Returns string
The sanitized CSS string safe for embedding inside <style>.
Escape content destined for a
<style>tag to prevent tag breakout.An attacker could include
</style><script>...inside CSS to close the style element and inject a script. This function replaces every occurrence of</style(case-insensitive) with</style, which is harmless in CSS but prevents the HTML parser from seeing a closing</style>tag.