[Owasp-leaders] Abridged XSS Cheat Sheet

Michael Coates michael.coates at owasp.org
Wed Nov 16 12:53:20 EST 2011


It seems both documents are valuable. Since we have an established XSS prevention cheat sheet, shouldn't we work to integrate enhancements into that document?  Clearly "cheat sheets" are meant to be concise, so we'll need to consider that element. But, we should constantly stride to enhance and evolve our materials.



Michael Coates
OWASP



On Nov 16, 2011, at 7:00 AM, Eoin wrote:

> Was just going to say about the escaping rules too!
> Not everyone can use esapi so what's the solution???
> 
> 
> 
>  
> 
> On 16 Nov 2011, at 14:51, Jeff Williams <jeff.williams at owasp.org> wrote:
> 
>> Jim,
>> 
>> Why haven't you forwarded those comments from the OWASP community to me?  The current XSS prevention cheatsheet is the 4th most viewed page at OWASP with almost 20,000 reads a month.  What I can't understand is why you think it's a good idea to fork one of the most successful pages at OWASP.
>> 
>> Yes OWASP is open, and you're within your rights to do this.  But I have always tried to support our project leaders rather than just fork when they aren't exactly in line with my view.  For example, I developed a whole (positive) maturity model called Catalyst after the first Portugal summit, but didn't release it because I thought it would be better to throw my support behind OpenSAMM.
>> 
>> Look - I'm not opposed to coming up with a matrix style reference as part of the cheatsheet.  I even sent you some mockups about a year ago to try to figure it out.  But I don't think that hijacking a successful project is good for our community.  I'm not asking you not to do this, I'm asking you to work with the existing successful project.
>> 
>> By the way, your draft has some significant problems, and it's exactly because you haven't taken injection theory into account. I believe that you *have* to justify the escaping rules you propose, or people will not understand them.  If they don't understand, they will not implement properly.
>> 
>> --Jeff
>> 
>> 
>> 
>> On Tue, Nov 15, 2011 at 10:09 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Folks,
>> 
>> I've been working on a different "view" of XSS Defense mechanism which
>> I've posted here
>> https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
>> 
>> My goal is to build a "traditional" short-form developer cheat sheet in
>> the style of http://devcheatsheet.com
>> 
>> This is an alternate view of
>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
>> 
>> I though this was a cool idea, but it's ruffling feathers and I've been
>> asked specifically NOT to do this.
>> 
>> Help please. :)
>> 
>> Do you find this to be valuable?
>> Do you think this undermines the work of the current XSS Prevention
>> Cheat Sheet?
>> Do you think one method is more/digestible than the other?
>> Do you think both of these are of value?
>> 
>> Any feedback is appreciated.
>> 
>> --
>> Jim Manico
>> 
>> Connections Committee Chair
>> Cheatsheet Series Product Manager
>> OWASP Podcast Producer/Host
>> 
>> jim at owasp.org
>> www.owasp.org
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111116/80d6222e/attachment.html 


More information about the OWASP-Leaders mailing list