In the following example the content "Here is some more text" is clearly outside the closing HTML tag. But when I run the script as a web app and view the page source it's inside the closing tag. Is this because caja is sanitizing the malformed HTML? Why sanitize in this way instead of informing me of the error?
GAS code:
function doGet() {
var ParagraphContent ='So much to do in so little time... '
var HTMLToOutput = '<html><h1>A header</h1><p>' + ParagraphContent + '</p></html>';
var HtmlAndMore = HTMLToOutput + 'Here is some more text';
var it = HtmlService.createHtmlOutput(HtmlAndMore);
Logger.log(HtmlAndMore)
return it
}
GAS script editor Logging Output:
<html><h1>A header</h1><p>So much to do in so little time... </p></html>Here is some more text
Caja is designed to operate according to the HTML5 parsing algorithm (which is designed to codify browser vendors' consensus as to how HTML-in-the-wild must be parsed, and define a single correct parse-error-recovery strategy). That algorithm effectively specifies that trailing content after </html> shall be inserted into the <body>, so the result you are seeing is what is specified.
However, it does also specify that that input is a parse error (which just means that it may be reported or may abort processing). Our latest technology ('ES5 mode') unfortunately does not yet make any attempt to report parse errors. I've made a note to fix that.