Convert PHP XSS Clean Function to Javascript

Convert this function to javascript, preferably without requiring 3rd party js libraries.

$20
target reached
$22.50 contributed, $22.50 held in trust
$

Project progress

The pledgers and developers have agreed that the project has been completed.

You can download the finished product, and you can still pledge to the project (effectively a donation to the developer).

18 Sep
8 Oct
project completed
Downloads

Developer Info

slamidtfyn has completed this project.

Go to the developer’s website.

Project Info

License is open-source.

1 person is pledging, and $22.50 of the pledges have been paid.

Project Tags

convert javascript php security translate xss
comments

Project details

This PHP code/function looks useful for cleaning up user generated HTML against XSS attacks. But I think it would be handy to have the function in javascript.

add your own

16 comments (oldest first)

gregthe1 17 years ago link

Micropledge, why does it say waiting for quotes if there is already a quote for under the pledged amount?

Ben 17 years ago link

What happens is there’s a two-week quoting period, so other developers have a chance to quote as well, and then the best quote will be chosen.

If slamidtfyn is the only quoter at the end of two weeks (18 Sep), he’ll be allowed to wait for another quoter or end the quoting time immediately and become the developer himself.

gregthe1 17 years ago link

Hmm, so I can’t just choose slamidtfyn right now? I like his quote. This policy seems like it would hinder people wanting a fast-tracked project, unless I’m just not understanding it.

slamidtfyn 17 years ago link

Hi

You could close the project and I could create a developer project with the same goal and begin coding today?

Ben 17 years ago link

Greg, the reason you can’t close quotes and choose slamidtfyn right now is because (we think/thought) that’d give the project creator too much power.

But this raises a good point: namely what if it’s a small project that the creator wants fast-tracked. Maybe there should be a short (say 3-day) quoting period for shorter projects. Not sure how “shorter” would be determined – could be something the project creator sets.

gregthe1 17 years ago link

Could there be a voting system similar to approving the work? So for example, I choose Slamidtfyn then other pledgers have 24-48 hours to say “yes” or say “no, let’s wait for more quotes”.

In this case I’m the only pledger, so whatever I say should go, right?

These are ticky questions indeed.

gregthe1 17 years ago link

So for this project as a “work-around”, could I close this project, and have Slamiddtfyn create a similar project where he is only allowed to develop it, and then I pledge on that?

Slamidtfyn, is this what you were suggesting?

slamidtfyn 17 years ago link

Hi gregthe1,

Yes that’s my suggestion

gregthe1 17 years ago link

Slamidtfyn,

I’m still working on getting the file. It may be a bug in Micropledge. I think they’re working on it.

Micropledge, you can delete this comment once everything is figured out.

Ben 17 years ago link

It’s not so much a bug as an imperfect UI which meant it was easy for you to accidentally vote 85%. Since you’re the only pledger, it went through straight away, and now slamidtfyn gets a chance to accept your vote or “negotiate further”.

gregthe1 17 years ago * link

Slamidtfyn, it’s looking good but there’s one point I’m confused about.

The original html_entity_decode function doesn’t seem to convert <, and > to & g t ; … Why does your code do that?

slamidtfyn 17 years ago link

Hi gregthe1

I can see I have made a mistake there, I will fix it asap

slamidtfyn 17 years ago link

Hi Gregthe1

I have found a workaround for this issue, try the new version

gregthe1 17 years ago * link

Thanks for addressing that so quickly. It still isn’t working quite right though.

It seems to be duplicating things in the input str. For example:

html head title greg /title script alert(‘hi’); /script /head body a test /a /body /html

goes to

html head title greg /title html head title …

(this form won’t let me put HTML to for the input part pretends there are angle brackets in the right places.) I’ll send you an email if that doesn’t make sense.

slamidtfyn 17 years ago link

Damn, I was sleeping when a made this zzzzzZZZZZzzzz.

Sorry!

I have corrected this too now.

gregthe1 17 years ago link

Thanks Slamidtfyn. It seems to work nicely now. I’ll post here if I hit any problems. Excellent work!

Add a comment

Before you add a comment you must be signed up – it takes about 30 seconds. Sign up now.

Markdown formatting help:

Type thisTo get
*italics*italics
**bold**bold
[Brush](http://brush.co.nz/)Brush
* item A
* item B
* item C
  • item A
  • item B
  • item C