[WEB SECURITY] XSS cheat sheet for developers

Jim Manico jim at manico.net
Wed Feb 27 11:29:08 EST 2013


Romain,

If you are willing to donate some of your (most excellent) content to OWASP and help collaborate on the OWASP XSS Prevention Cheatsheet, I would be super happy to drop ESAPI from it and make the guide more vendor and product neutral. I would also be happy to add you as a core contributor.

The invitation is there, it would be a great pleasure to work with you on this for the community at large.

Aloha,

Jim Manico
OWASP Board Member
jim at owasp.org

> At least you admit you're promoting something of your own (i.e. CSL) by
> keeping it separate instead of helping OWASP T10 promote their agenda
> (ex: ESAPI).
>
> Nice research.
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
> On 2/27/13 10:45 AM, romain wrote:
>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>>
>> Concerning the CSS string escaper we did some testing, but not on super
>> old browsers actually. However, we looked at the how CSS parsers are
>> recovering from errors, and what characters need to be escaped. That's
>> mostly why our CSS string escaper will escape new lines chars and more.
>> Still, we have some more work to do; CSS parsers are a real pain.
>>
>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>> about. However, the OWASP document is first of all promoting ESAPI when
>> we are sorta promoting our lib. We are also talking about HTML contexts
>> at a more fine grain level and it's difficult to put this in OWASP
>> framework.
>> The OWASP cheat sheet format doesn't also play well with what we wanted
>> to do. They are driven by few rules for preventing XSS, we're more about
>> code example.
>>
>> Romain
>>  - @rgaucher
>>
>>
>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>> <mailto:erlend at oftedal.no>> wrote:
>>
>>     Hard to tell really as your website blocks IE10 thinking it's IE6
>>     (not optimizing for old browsers is ok, but blocking is an
>>     antipattern - especially when it's wrong).
>>
>>     Joke aside, the document itself seems decent. It's easy to get an
>>     overview over the context. Did you test your CSS escaping in older
>>     browsers? I seem to remember there were some problems, and that
>>     escaping itself was not enough.
>>
>>     Also, why build your own cheat sheet instead of contributing to the
>>     established free and open OWASP XSS Prevention Cheat Sheet?
>>
>>     Best regards,
>>     Erlend Oftedal
>>
>>
>>     On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>>     <mailto:r at fuckthespam.com>> wrote:
>>
>>         Everybody,
>>         We release an XSS cheat sheet for developers today. The document
>>         talks about several contexts (13 combinations right now, but
>>         we'll be improving it).
>>         Some more info are available on Coverity blog:
>>           https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>
>>         Our goal is to keep improving this cheat sheet while adding
>>         escapers and sanitizers to our library:
>>           https://github.com/coverity/coverity-security-library
>>
>>         Cheers,
>>         Romain
>>           
>>
>>         _______________________________________________
>>         The Web Security Mailing List
>>
>>         WebSecurity RSS Feed
>>         http://www.webappsec.org/rss/websecurity.rss
>>
>>         Join WASC on LinkedIn
>>         http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>         WASC on Twitter
>>         http://twitter.com/wascupdates
>>
>>         websecurity at lists.webappsec.org
>>         <mailto:websecurity at lists.webappsec.org>
>>         http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list