[WEB SECURITY] XSS cheat sheet for developers

Erlend Oftedal erlend at oftedal.no
Wed Feb 27 03:31:16 EST 2013


Hard to tell really as your website blocks IE10 thinking it's IE6 (not
optimizing for old browsers is ok, but blocking is an antipattern -
especially when it's wrong).

Joke aside, the document itself seems decent. It's easy to get an overview
over the context. Did you test your CSS escaping in older browsers? I seem
to remember there were some problems, and that escaping itself was not
enough.

Also, why build your own cheat sheet instead of contributing to the
established free and open OWASP XSS Prevention Cheat Sheet?

Best regards,
Erlend Oftedal


On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com> wrote:

> Everybody,
> We release an XSS cheat sheet for developers today. The document talks
> about several contexts (13 combinations right now, but we'll be improving
> it).
> Some more info are available on Coverity blog:
>
> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>
> Our goal is to keep improving this cheat sheet while adding escapers and
> sanitizers to our library:
>   https://github.com/coverity/coverity-security-library
>
> Cheers,
> Romain
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130227/db2aa18b/attachment-0003.html>


More information about the websecurity mailing list