[WEB SECURITY] XSS cheat sheet for developers

Ivan Ristic ivan.ristic at gmail.com
Wed Feb 27 14:08:34 EST 2013


There isn't anything to "admit". They used their resources in the way
they saw fit.

Just because they are releasing their research to the public does not
give us the right to question their choices.


On Wed, Feb 27, 2013 at 4:13 PM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
> At least you admit you're promoting something of your own (i.e. CSL) by
> keeping it separate instead of helping OWASP T10 promote their agenda
> (ex: ESAPI).
>
> Nice research.
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
> On 2/27/13 10:45 AM, romain wrote:
>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>>
>> Concerning the CSS string escaper we did some testing, but not on super
>> old browsers actually. However, we looked at the how CSS parsers are
>> recovering from errors, and what characters need to be escaped. That's
>> mostly why our CSS string escaper will escape new lines chars and more.
>> Still, we have some more work to do; CSS parsers are a real pain.
>>
>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>> about. However, the OWASP document is first of all promoting ESAPI when
>> we are sorta promoting our lib. We are also talking about HTML contexts
>> at a more fine grain level and it's difficult to put this in OWASP
>> framework.
>> The OWASP cheat sheet format doesn't also play well with what we wanted
>> to do. They are driven by few rules for preventing XSS, we're more about
>> code example.
>>
>> Romain
>>  - @rgaucher
>>
>>
>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>> <mailto:erlend at oftedal.no>> wrote:
>>
>>     Hard to tell really as your website blocks IE10 thinking it's IE6
>>     (not optimizing for old browsers is ok, but blocking is an
>>     antipattern - especially when it's wrong).
>>
>>     Joke aside, the document itself seems decent. It's easy to get an
>>     overview over the context. Did you test your CSS escaping in older
>>     browsers? I seem to remember there were some problems, and that
>>     escaping itself was not enough.
>>
>>     Also, why build your own cheat sheet instead of contributing to the
>>     established free and open OWASP XSS Prevention Cheat Sheet?
>>
>>     Best regards,
>>     Erlend Oftedal
>>
>>
>>     On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>>     <mailto:r at fuckthespam.com>> wrote:
>>
>>         Everybody,
>>         We release an XSS cheat sheet for developers today. The document
>>         talks about several contexts (13 combinations right now, but
>>         we'll be improving it).
>>         Some more info are available on Coverity blog:
>>           https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>
>>         Our goal is to keep improving this cheat sheet while adding
>>         escapers and sanitizers to our library:
>>           https://github.com/coverity/coverity-security-library
>>
>>         Cheers,
>>         Romain
>>
>>
>>         _______________________________________________
>>         The Web Security Mailing List
>>
>>         WebSecurity RSS Feed
>>         http://www.webappsec.org/rss/websecurity.rss
>>
>>         Join WASC on LinkedIn
>>         http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>         WASC on Twitter
>>         http://twitter.com/wascupdates
>>
>>         websecurity at lists.webappsec.org
>>         <mailto:websecurity at lists.webappsec.org>
>>         http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



-- 
Ivan Ristić




More information about the websecurity mailing list