You can't parse (X)HTML with regex.
Instead, you can parse it using innerHTML
.
var element = document.createElement('div');
element.innerHTML = myString; // Parse HTML properly (but unsafely)
However, this is not safe. Even if innerHTML
doesn't run the JS inside script
elements, malicious strings can still run arbitrary JS, e.g. with <img src="//" onerror="alert()">
.
To avoid that problem, you can use DOMImplementation.createHTMLDocument
to create a new document, which can be used as a sandbox.
var doc = document.implementation.createHTMLDocument(); // Sandbox
doc.body.innerHTML = myString; // Parse HTML properly
Alternatively, new browsers support DOMParser
:
var doc = new DOMParser().parseFromString(myString, 'text/html');
Once the HTML string has been parsed to the DOM, you can use DOM methods like getElementsByTagName
or querySelectorAll
to get all the script
elements.
var scriptElements = doc.getElementsByTagName('script');
Finally, [].map
can be used to obtain an array with the textContent
of each script
element.
var arrayScriptContents = [].map.call(scriptElements, function(el) {
return el.textContent;
});
The full code would be
var doc = document.implementation.createHTMLDocument(); // Sandbox
doc.body.innerHTML = myString; // Parse HTML properly
[].map.call(doc.getElementsByTagName('script'), function(el) {
return el.textContent;
});