[Esapi-user] ricardozuasti.com - Stronger anti cross-site scripting (XSS) filter for Java web apps «

Jeff Williams jeff.williams at aspectsecurity.com
Fri Jul 6 21:51:09 UTC 2012


I’m not crazy about this.  I suspect that <scri<script>pt> will sail through, but I didn’t look very closely.  I’d stick to making sure your UI components properly (contextually) encode untrusted data.

 

--Jeff

 

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Luke Biddell
Sent: Friday, July 06, 2012 5:44 PM
To: esapi-user at lists.owasp.org
Subject: [Esapi-user] ricardozuasti.com - Stronger anti cross-site scripting (XSS) filter for Java web apps «

 

Bumped into this on my travels. Seems helpful from a blacklist perspective. 

Whaddaya think? 

http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120706/a3faff3d/attachment.html>


More information about the Esapi-user mailing list