Infinity cycling

[dsteb]

function xssPrevent(string, flag) goes in infinity loop if the text in input is something like «^1%».
It's because of escaping in for loop:

master/jquery.fcbkcomplete.js:lines 441-448:

      for(i = 0; i < string.length; i++) {
        var charcode = string.charCodeAt(i);
        if ((_key.exclamation <= charcode && charcode <= _key.slash) ||
            (_key.colon <= charcode && charcode <= _key.at) ||
            (_key.squarebricket_left <= charcode && charcode <= _key.apostrof)) {
          string = string.replace(string[i], escape(string[i]));
        }
      }

Javascripts hangs up and browser hangs up.

[dsteb]

The problem is in wrong usage of «String.replace». If there are several occurancies of identical characters in string, «String.replace» is replacing only first always. And the cycle goes forever.

«^1%» ^ replaces to %5E, but last % replaces first % to %25 again, and we gets %255E%, and it's forever %2525E% ... %252525E% ....

The solution is replace character at position:
446: »»» string = string.replace(string[i], escape(string[i]));
446: string = string.substring(0, i) + escape(string[i]) + string.substring(i + 1);