[Esapi-user] [OWASP-ESAPI] Implementation of Global Output Encoder with ESAPI

Kevin W. Wall kevin.w.wall at gmail.com
Fri May 7 21:12:22 EDT 2010


Jim Manico wrote:
>> Jim you are absolutely right - but there are some cases where you need
> the *big hammer* approach.
> 
> You are starting to sound like a WAF vendor. I think Imperva is hiring
> for sales....
> 
> *ducks*

Ouch! Let's keep this a clean fight. No more hitting below the belt. :)

> <soapbox>
> Comon boys - Risk Management is often used to justify NOT doing the
> right thing. Around these parts we OUTPUT ENCODE CONTEXTUALLY FOR ALL
> OUTPUT. NOTHING ELSE STOPS XSS.
> </soapbox>

Jim is right. Remember the 4th point of the Rugged Software Manifesto:
	I recognize that my code will e used in ways I cannot anticipate,
	in ways it was not designed, and for longer than it was ever
	intended.

That means that even if a filter will work _today_ in your code, there is
no guarantee that it will work in the future. As soon as someone starts
putting user input in some other context such as a CSS, then your filter
will not work and your XSS problems are back.

It takes a lot of effort to do write the code right...but not nearly as
much effort as it does if you write the code wrong.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list