Cross-site scripting and HTML injection

Been reading about Cross-site scripting today on Wikipedia just to see if there was anything I didn't already know. I'm in the process of code reviewing the entire Pcphpjs code base to remove all the XSS vulnerabilities that I left latent while hacking it together and learning the CodeIgniter and Doctrine frameworks. Now things are relatively stable so I'm going to go over the whole thing and refactor it with a view to code reviewing data handling for HTML injection while I'm at it.

JavaScript base64_encode

This is where all the trouble began. Back on July 19th this year I commented on the base64_encode function over at phpjs.org letting them know about a bug in their function whereby they were encoding as UTF-8 (whatever that means) prior to doing the Base64 encoding, which is a bug. Anyway, I had to patch the code myself for its use in pccipher and after several months no-one at phpjs has fixed up the implementation. So, that makes me mad, and when I'm mad, I fork!

I forked ProgSoc into ProgClub, and now I'm forking phpjs.org into jsphp.co. Both times it was because there was something going on that gave me the shits and I felt as if I could do a better job. So far I'm really pleased with my results. One great thing about forking is that it encourages the other party to lift their game. I wouldn't be surprised to see phpjs.org improve its features after they see what I've done with jsphp.co.

Update: I ended up fixing that base64_encode function. My notes are in the comments.

jsphp.co developments

I'm working on my jsphp.co web-site. I haven't deployed my latest changes yet, so there's nothing there on the main web-site just now, except if you head over to checkout the development area which has all my latest changes. Basically over the last couple of days I've added support for:

  • Home page
  • Category listing
  • Function listing
    • View function, tests and benchmark with linkable line numbers
    • Edit function, tests and benchmark with summary
    • Test the code using QUnit
    • Benchmark code and compare versions
    • List revisions and view, edit or change the release status
    • List developers including local and upstream contributors
    • Comments on functions or tests (incomplete)
    • Link to features, such as code downloads or the phpjs.org implementation
    • Administer the function
  • Contributor listing
    • Lists local contributors
    • Lists upstream contributors
  • Licensing info
  • Downloads
  • Links to other web-sites
  • Contact information
  • System administration
    • Manage categories
    • Manage functions
    • Manage users
    • Manage upstream developers
    • View errors

There's still a little bit to do. Basically I need to review the entire code base for HTML injection and XSS vulnerabilities, I need to fix up the commenting subsystem to allow for editing and creation of comments, I need to protect from some changes (e.g. only administrators can release a function version), many of the forms need better/reviewed workflow for errors and omissions, there needs to be a facility for adding and removing upstream developers, and that's about it. Once I've got those planned changes done I'll release the latest version of the site and begin the process of importing the phpjs.org code base.