[Owasp-leaders] Abridged XSS Cheat Sheet

Eoin eoin.keary at owasp.org
Wed Nov 16 10:00:24 EST 2011


Was just going to say about the escaping rules too!
Not everyone can use esapi so what's the solution???



 

On 16 Nov 2011, at 14:51, Jeff Williams <jeff.williams at owasp.org> wrote:

> Jim,
> 
> Why haven't you forwarded those comments from the OWASP community to me?  The current XSS prevention cheatsheet is the 4th most viewed page at OWASP with almost 20,000 reads a month.  What I can't understand is why you think it's a good idea to fork one of the most successful pages at OWASP.
> 
> Yes OWASP is open, and you're within your rights to do this.  But I have always tried to support our project leaders rather than just fork when they aren't exactly in line with my view.  For example, I developed a whole (positive) maturity model called Catalyst after the first Portugal summit, but didn't release it because I thought it would be better to throw my support behind OpenSAMM.
> 
> Look - I'm not opposed to coming up with a matrix style reference as part of the cheatsheet.  I even sent you some mockups about a year ago to try to figure it out.  But I don't think that hijacking a successful project is good for our community.  I'm not asking you not to do this, I'm asking you to work with the existing successful project.
> 
> By the way, your draft has some significant problems, and it's exactly because you haven't taken injection theory into account. I believe that you *have* to justify the escaping rules you propose, or people will not understand them.  If they don't understand, they will not implement properly.
> 
> --Jeff
> 
> 
> 
> On Tue, Nov 15, 2011 at 10:09 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Folks,
> 
> I've been working on a different "view" of XSS Defense mechanism which
> I've posted here
> https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
> 
> My goal is to build a "traditional" short-form developer cheat sheet in
> the style of http://devcheatsheet.com
> 
> This is an alternate view of
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
> 
> I though this was a cool idea, but it's ruffling feathers and I've been
> asked specifically NOT to do this.
> 
> Help please. :)
> 
> Do you find this to be valuable?
> Do you think this undermines the work of the current XSS Prevention
> Cheat Sheet?
> Do you think one method is more/digestible than the other?
> Do you think both of these are of value?
> 
> Any feedback is appreciated.
> 
> --
> Jim Manico
> 
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
> 
> jim at owasp.org
> www.owasp.org
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111116/12f506b7/attachment.html 


More information about the OWASP-Leaders mailing list