[OWASP ASVS] Why is XSS not called out in ASVS version 2?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Sep 3 22:57:13 UTC 2014


On Thu, Sep 4, 2014 at 4:56 AM, Jim Manico <jim.manico at owasp.org> wrote:
> We need to be a little careful here. Output encoding is NOT the right
> defense for every framework. If you are using heavy JavaScript and JSON type
> architectures where there is no real page refresh, then you want to focus on
> safe use of JS sinks and proper JSON parsing. If a standard says that output
> encoding is the only XSS defense then it will be wrong and get even more
> wrong over time.

Agreed, let also correlate on the specific "mitigating control" and
its associated level of "vigour" too.

Christian Heinrich


More information about the Owasp-application-security-verification-standard mailing list