[OWASP ASVS] Why is XSS not called out in ASVS version 2?
christian.heinrich at cmlh.id.au
Wed Sep 3 22:57:13 UTC 2014
On Thu, Sep 4, 2014 at 4:56 AM, Jim Manico <jim.manico at owasp.org> wrote:
> We need to be a little careful here. Output encoding is NOT the right
> architectures where there is no real page refresh, then you want to focus on
> safe use of JS sinks and proper JSON parsing. If a standard says that output
> encoding is the only XSS defense then it will be wrong and get even more
> wrong over time.
Agreed, let also correlate on the specific "mitigating control" and
its associated level of "vigour" too.
More information about the Owasp-application-security-verification-standard