[WEB SECURITY] XSS cheat sheet for developers

romain r at fuckthespam.com
Wed Feb 27 10:45:22 EST 2013


Argh, sorry about the blog and IE10. Not the first time I hear that...

Concerning the CSS string escaper we did some testing, but not on super old
browsers actually. However, we looked at the how CSS parsers are recovering
from errors, and what characters need to be escaped. That's mostly why our
CSS string escaper will escape new lines chars and more. Still, we have
some more work to do; CSS parsers are a real pain.

Contributing to OWASP XSS prevention cheat sheet is something we talked
about. However, the OWASP document is first of all promoting ESAPI when we
are sorta promoting our lib. We are also talking about HTML contexts at a
more fine grain level and it's difficult to put this in OWASP framework.
The OWASP cheat sheet format doesn't also play well with what we wanted to
do. They are driven by few rules for preventing XSS, we're more about code
example.

Romain
 - @rgaucher


On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no> wrote:

> Hard to tell really as your website blocks IE10 thinking it's IE6 (not
> optimizing for old browsers is ok, but blocking is an antipattern -
> especially when it's wrong).
>
> Joke aside, the document itself seems decent. It's easy to get an overview
> over the context. Did you test your CSS escaping in older browsers? I seem
> to remember there were some problems, and that escaping itself was not
> enough.
>
> Also, why build your own cheat sheet instead of contributing to the
> established free and open OWASP XSS Prevention Cheat Sheet?
>
> Best regards,
> Erlend Oftedal
>
>
> On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com> wrote:
>
>> Everybody,
>> We release an XSS cheat sheet for developers today. The document talks
>> about several contexts (13 combinations right now, but we'll be improving
>> it).
>> Some more info are available on Coverity blog:
>>
>> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>
>> Our goal is to keep improving this cheat sheet while adding escapers and
>> sanitizers to our library:
>>   https://github.com/coverity/coverity-security-library
>>
>> Cheers,
>> Romain
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130227/4a881f21/attachment-0003.html>


More information about the websecurity mailing list