[WEB SECURITY] XSS cheat sheet for developers

Paul Johnston paul.johnston at pentest.co.uk
Mon Mar 4 09:34:08 EST 2013


> I dunno why the Internet rage machine is pointed at CSL today. I think the community is better served if we can move the discussion back to constructive criticisms, quantified results, and actionable feedback instead of snide comments. Alas, it's a free world so carry on as you see fit.

It's a thankless task doing anything constructive! Mailing lists seem to
be full of people with plenty of time to pick holes in whatever you do.

Having said that, I do have two comments, which are intended to be

1) For some obscure contexts (you mention CSS is very tricky) it may be
better to simply never put user-supplied data in these contexts. We
don't know what wacky behaviour might be in obscure old browsers, or
even in future browsers. Providing an escaping function for these
contexts may be encouraging people to do a bad thing. For example, it's
not uncommon to see user-supplied data with a <script> block. One option
is to escape it, perhaps using your library, but I have always advised
people to side-step the issue and put the user-supplied data in a hidden
field, which is then accessed by JavaScript.

2) A programmer still has to correctly identify the context they are in,
and use the correct escaping function. There is still plenty of
opportunity for programmer error here. I've not used it, but Google have
a templating system that does automatic context-aware escaping:


Pentest - The Application Security Specialists

Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

More information about the websecurity mailing list