Browser Logs Script Injected Inside Inline HTML/JS Content

Question

Browser Logs Script Injected Inside Inline HTML/JS Content

Closed this issue 4 days ago · 7 comments

jayaprakash-e-k commented 2 months ago

Laravel Package Version

1.0.20

Laravel Version

11.41.3

PHP Version

8.2.12

System Info

Windows with XAMPP, and run using composer run dev

Description

When using the package, the browser logs feature injects JavaScript code into all rendered files.
While the general script injection works as expected, it also injects inside inline HTML/JavaScript content that is being used to populate or print data.

This leads to syntax errors in the frontend because the injected script breaks the inline JavaScript.

Steps To Reproduce

Steps to Reproduce

Install and enable laravel/boost with browser logs enabled.
Create a Blade template or view with inline JavaScript that outputs some dynamic HTML (e.g., document.write or template literals).
Load the page in the browser.

Expected Behavior

The script injection for browser logs should:

Only be added once per page (e.g., before </body>).
Avoid being injected inside inline <script> blocks or raw HTML strings.

Actual Behavior

The injected script appears inside the inline script content, causing syntax errors and breaking the page.

Example

Code before injection

<script>
   let html = `
      <div>
          <h1>Hello World</h1>
      </div>
   `;
   document.body.innerHTML = html;
</script>

Code after injection (problematic)

<script>
   let html = `
      <div>
          <h1>Hello World</h1>
      </div>
      <script>/* boost browser log script */</script>
   `;
   document.body.innerHTML = html; // ❌ SyntaxError
</script>

Answer 1 · 2025-09-10T10:05:47.000Z

Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!

Answer 2 · 2025-09-10T11:07:35.000Z

Hi, thanks for your patience.

My earlier reproduction steps were not clear — sorry about that 🙏. I’ve now created a clean repo with a minimal example that shows the issue more clearly:

here is the repo

The key detail is that the error only occurs when the inline template literal includes a tag (this is needed for my print feature). Without , the code works fine, but with it, Boost injects its browser log script inside the string and causes a SyntaxError.

Hope this repo makes it easier to reproduce. Thanks again for looking into this!

Answer 3 · 2025-09-10T11:35:14.000Z

Hey @jayaprakash-e-k, thanks for sharing the reproduction repo.

It looks like you’re inserting a full HTML document (with <html>, <head>, and <body> tags) into the existing body’s innerHTML. This ends up creating an invalid nested HTML structure. I’m not sure what the intended use case is here, but if you just want to avoid the script injection, you can set BOOST_BROWSER_LOGS_WATCHER=false.

Reference: https://github.com/jayaprakash-e-k/bug-report/blob/05d70eedb80178a7bf15242b3c6829ba3d170257/resources/views/bug.blade.php

Answer 4 · 2025-09-10T11:45:04.000Z

Thanks for clarifying! I understand that disabling browser logs with BOOST_BROWSER_LOGS_WATCHER=false is a practical workaround for now, and I’ll go with that in my project.

Just to add a note for future reference: in my case, the HTML string is being written into a new window.open() for printing. The script injection ending up inside that template literal is what caused the SyntaxError.

I totally understand if this is considered an edge case, but it might be worth improving the injection logic in the future so that it doesn’t inject inside inline <script> blocks or JavaScript strings. That would make the feature a bit more robust.

Thanks again for looking into this and for the quick response 🙌

Answer 5 · 2025-09-10T12:00:06.000Z

I see your point, this could indeed be a real issue. Using a DOM parser might be a more reliable way to handle the script injection.

That said, I wasn’t entirely sure about the code in the reproduction repo, which is why I flagged it earlier. I’ll leave it to @ashleyhindle to decide whether we want to support this scenario in Boost for now. But if you can update the repo with some minimal code that reproduces the actual issue, that would be really helpful.

Answer 6 · 2025-09-10T12:15:24.000Z

Thanks for reopening,

I’ve updated the reproduction repo — in my case the HTML isn’t being inserted into the existing page, but written into a new window.open() for printing (using printWindow.document.write(html)). That’s where the injected script ends up inside the template literal and causes the syntax error.

This comes up in practical scenarios like printing KOTs/receipts in POS systems, invoices in billing apps, or tickets/reports in other applications. For now I’ll disable browser logs with BOOST_BROWSER_LOGS_WATCHER=false as suggested, but I understand it’s ultimately up to him to decide whether supporting this scenario in Boost makes sense in the future.

Answer 7 · 2025-11-05T14:53:08.000Z

I tried handling this with phpdom, but there are too many edge cases. I also don't want to bring in a new dependency just for this small issue. For now, you will need to disable BOOST_BROWSER_LOGS_WATCHER to avoid any problems. You can disable the tool in boost.php as well, though adding more code for a single edge case does not feel justified right now.

If more people run into this in the future, I am happy to revisit. Thanks.