jim.manico at owasp.org
Wed Apr 1 21:33:56 EDT 2009
I will have the first version of this done and checked in by weeks end. It's easy - I'll steal your current js encoder and slightly modify.
I think that if all we had in ESAPI was the encoding library, that alone would be enough to stop the vast majority of real world problems. The rest is gravy. =)
----- Original Message -----
From: Jeff Williams
To: 'Jim Manico' ; owasp-esapi at lists.owasp.org
Sent: Wednesday, April 01, 2009 3:30 PM
I wrote these escaping routines before I wrote http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (which a senior architect at a financial firm recently called "the best actionable write up on XSS prevention that I've ever read. This paper, in combination with ESAPI filters, gives people a real path to follow, rather than just vague mumbling about how hard it is.").
Anybody interested in dancing with the devil?
From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, April 01, 2009 7:53 PM
To: owasp-esapi at lists.owasp.org
It does not seem necessary in any modern browser, as long as your data is properly quoted during assignment.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI