[WEB SECURITY] XSS cheat sheet for developers

Eric Sheridan eric.sheridan at owasp.org
Wed Feb 27 11:13:28 EST 2013


At least you admit you're promoting something of your own (i.e. CSL) by
keeping it separate instead of helping OWASP T10 promote their agenda
(ex: ESAPI).

Nice research.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 2/27/13 10:45 AM, romain wrote:
> Argh, sorry about the blog and IE10. Not the first time I hear that...
> 
> Concerning the CSS string escaper we did some testing, but not on super
> old browsers actually. However, we looked at the how CSS parsers are
> recovering from errors, and what characters need to be escaped. That's
> mostly why our CSS string escaper will escape new lines chars and more.
> Still, we have some more work to do; CSS parsers are a real pain.
> 
> Contributing to OWASP XSS prevention cheat sheet is something we talked
> about. However, the OWASP document is first of all promoting ESAPI when
> we are sorta promoting our lib. We are also talking about HTML contexts
> at a more fine grain level and it's difficult to put this in OWASP
> framework.
> The OWASP cheat sheet format doesn't also play well with what we wanted
> to do. They are driven by few rules for preventing XSS, we're more about
> code example.
> 
> Romain
>  - @rgaucher
> 
> 
> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
> <mailto:erlend at oftedal.no>> wrote:
> 
>     Hard to tell really as your website blocks IE10 thinking it's IE6
>     (not optimizing for old browsers is ok, but blocking is an
>     antipattern - especially when it's wrong).
> 
>     Joke aside, the document itself seems decent. It's easy to get an
>     overview over the context. Did you test your CSS escaping in older
>     browsers? I seem to remember there were some problems, and that
>     escaping itself was not enough.
> 
>     Also, why build your own cheat sheet instead of contributing to the
>     established free and open OWASP XSS Prevention Cheat Sheet?
> 
>     Best regards,
>     Erlend Oftedal
> 
> 
>     On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>     <mailto:r at fuckthespam.com>> wrote:
> 
>         Everybody,
>         We release an XSS cheat sheet for developers today. The document
>         talks about several contexts (13 combinations right now, but
>         we'll be improving it).
>         Some more info are available on Coverity blog:
>           https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
> 
>         Our goal is to keep improving this cheat sheet while adding
>         escapers and sanitizers to our library:
>           https://github.com/coverity/coverity-security-library
> 
>         Cheers,
>         Romain
>           
> 
>         _______________________________________________
>         The Web Security Mailing List
> 
>         WebSecurity RSS Feed
>         http://www.webappsec.org/rss/websecurity.rss
> 
>         Join WASC on LinkedIn
>         http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
>         WASC on Twitter
>         http://twitter.com/wascupdates
> 
>         websecurity at lists.webappsec.org
>         <mailto:websecurity at lists.webappsec.org>
>         http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> 
> 
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 




More information about the websecurity mailing list