[Owasp-leaders] Abridged XSS Cheat Sheet

Jeff Williams jeff.williams at owasp.org
Wed Nov 16 09:51:23 EST 2011


Why haven't you forwarded those comments from the OWASP community to me?
 The current XSS prevention cheatsheet is the 4th most viewed page at OWASP
with almost 20,000 reads a month.  What I can't understand is why you think
it's a good idea to fork one of the most successful pages at OWASP.

Yes OWASP is open, and you're within your rights to do this.  But I have
always tried to support our project leaders rather than just fork when they
aren't exactly in line with my view.  For example, I developed a whole
(positive) maturity model called Catalyst after the first Portugal summit,
but didn't release it because I thought it would be better to throw my
support behind OpenSAMM.

Look - I'm not opposed to coming up with a matrix style reference as part
of the cheatsheet.  I even sent you some mockups about a year ago to try to
figure it out.  But I don't think that hijacking a successful project is
good for our community.  I'm not asking you not to do this, I'm asking you
to work with the existing successful project.

By the way, your draft has some significant problems, and it's exactly
because you haven't taken injection theory into account. I believe that you
*have* to justify the escaping rules you propose, or people will not
understand them.  If they don't understand, they will not implement


On Tue, Nov 15, 2011 at 10:09 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
> I've been working on a different "view" of XSS Defense mechanism which
> I've posted here
> https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
> My goal is to build a "traditional" short-form developer cheat sheet in
> the style of http://devcheatsheet.com
> This is an alternate view of
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
> I though this was a cool idea, but it's ruffling feathers and I've been
> asked specifically NOT to do this.
> Help please. :)
> Do you find this to be valuable?
> Do you think this undermines the work of the current XSS Prevention
> Cheat Sheet?
> Do you think one method is more/digestible than the other?
> Do you think both of these are of value?
> Any feedback is appreciated.
> --
> Jim Manico
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
> jim at owasp.org
> www.owasp.org
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111116/26e722da/attachment-0001.html 

More information about the OWASP-Leaders mailing list