Difficulty with XSS (cross-site scripting) error on my journal site

Hi awesome fellas,

I earlier posted a question looking for alternatives for tickers and managed to code something that works just fine as expected.

My journal site is ijmasr.com and the ticker is on the right hand sidebar of the landing page titled “Latest News”.

My problem is the news has to scroll bottom up and there is a javascrip that gets the job done. Unfortunately, the script does not run because of the no nonsense XSS(cross-site scripting) doing a great job. I have read a little about the topic and have learned HTML encoding could fix this but I have no idea how to go about the fix.

Here is the HTML code i inserted in the custom block.

<div class="ticker">
<h3>Latest News</h3>
<ul id="ticker">
<li><a>IJMASR</a> invites multiple types of research including theoretically grounded studies.</li>
<li><a>IJMASR</a> is an international peer-reviewed multidisciplinary journal that accepts papers from all areas of Management, Science and IT.</li>
<script type="mce-mce-text/javascript">// <![CDATA[
function ticker() {
  $('#ticker li:first').slideUp(function() {
var timer = setInterval(ticker, 3000);
    timer = setInterval(ticker, 3000);
// ]]></script>

I really need this feature on my journal and cant do away with it. For this reason, i need your ever kind help and guide to fix either the html code or how to keep the ticker and XSS working.

Where are you seeing an XSS warning or error? I’m not seeing one.

Why is the script type “mce-mce-text/javascript”? I would have expected “text/javascript”.

Hi @SelasePKP,

See also my follow-up to this question on StackOverflow.

Alec Smecher
Public Knowledge Project Team

@ctgraham and @asmecher Thanks for responding.

I get the error anytime the page loads. It doesn’t turn up on the page but I notice the ticker does not scroll up as should be. When i do an inspect element i get the error showing with the mention of XSS. Also I have no idea how the “MCE” appears after i save my code when it wasn’t included in the first place.

Either way it seems okay now without having to change anything except take out the MCE which i didnt add to begin with. I followed @asmecher response from stack overflow and was doing exactly the same thing to start with. I guess its the “MCE” that was the culprit.

I also learned from the response that I am loading a really old version of jQuery (1.4.4) and seem to be trying to invoke jQuery before it is loaded.
How can i alter the code to be current and less buggy?


If you are invoking jQuery before it is loaded, you may need to wrap your call in a $(document).ready() call.

jQuery was updated for the 3.x release, and you may want to check out this post regarding porting that back to 2.x:

Additionally, some other folks report having done a jQuery update, and might be able to offer pointers: