Convert PHP XSS Clean Function to Javascript
idea by gregthe1
Convert this function to javascript, preferably without requiring 3rd party js libraries.
target reached
Project progress
The pledgers and developers have agreed that the project has been completed.
You can download the finished product, and you can still pledge to the project (effectively a donation to the developer).
Developer Info
slamidtfyn has completed this project.
Go to the developer’s website.
Project Info
License is open-source.
1 person is pledging, and $22.50 of the pledges have been paid.
Project Tags
convert javascript php security translate xssProject details
This PHP code/function looks useful for cleaning up user generated HTML against XSS attacks. But I think it would be handy to have the function in javascript.
16 comments (oldest first)
Micropledge, why does it say waiting for quotes if there is already a quote for under the pledged amount?
What happens is there’s a two-week quoting period, so other developers have a chance to quote as well, and then the best quote will be chosen.
If slamidtfyn is the only quoter at the end of two weeks (18 Sep), he’ll be allowed to wait for another quoter or end the quoting time immediately and become the developer himself.
Hmm, so I can’t just choose slamidtfyn right now? I like his quote. This policy seems like it would hinder people wanting a fast-tracked project, unless I’m just not understanding it.
Hi
You could close the project and I could create a developer project with the same goal and begin coding today?
Greg, the reason you can’t close quotes and choose slamidtfyn right now is because (we think/thought) that’d give the project creator too much power.
But this raises a good point: namely what if it’s a small project that the creator wants fast-tracked. Maybe there should be a short (say 3-day) quoting period for shorter projects. Not sure how “shorter” would be determined – could be something the project creator sets.
Could there be a voting system similar to approving the work? So for example, I choose Slamidtfyn then other pledgers have 24-48 hours to say “yes” or say “no, let’s wait for more quotes”.
In this case I’m the only pledger, so whatever I say should go, right?
These are ticky questions indeed.
So for this project as a “work-around”, could I close this project, and have Slamiddtfyn create a similar project where he is only allowed to develop it, and then I pledge on that?
Slamidtfyn, is this what you were suggesting?
Hi gregthe1,
Yes that’s my suggestion
Slamidtfyn,
I’m still working on getting the file. It may be a bug in Micropledge. I think they’re working on it.
Micropledge, you can delete this comment once everything is figured out.
It’s not so much a bug as an imperfect UI which meant it was easy for you to accidentally vote 85%. Since you’re the only pledger, it went through straight away, and now slamidtfyn gets a chance to accept your vote or “negotiate further”.
Slamidtfyn, it’s looking good but there’s one point I’m confused about.
The original html_entity_decode function doesn’t seem to convert <, and > to & g t ; … Why does your code do that?
Hi gregthe1
I can see I have made a mistake there, I will fix it asap
Hi Gregthe1
I have found a workaround for this issue, try the new version
Thanks for addressing that so quickly. It still isn’t working quite right though.
It seems to be duplicating things in the input str. For example:
html head title greg /title script alert(‘hi’); /script /head body a test /a /body /html
goes to
html head title greg /title html head title …
(this form won’t let me put HTML to for the input part pretends there are angle brackets in the right places.) I’ll send you an email if that doesn’t make sense.
Damn, I was sleeping when a made this zzzzzZZZZZzzzz.
Sorry!
I have corrected this too now.
Thanks Slamidtfyn. It seems to work nicely now. I’ll post here if I hit any problems. Excellent work!
Add a comment
Before you add a comment you must be signed up – it takes about 30 seconds. Sign up now.