[Owasp-leaders] Abridged XSS Cheat Sheet

Jim Manico jim.manico at owasp.org
Wed Nov 16 13:11:05 EST 2011


I feel the existing XSS cheat sheet is to bulky for the average
developer. It's also not a traditional developer-centric cheat sheet.
http://devcheatsheet.com <http://devcheatsheet.com/> has plenty of
examples of what I was aiming for. Certainly if Jeff likes the grid, it
can be used in the original cheat sheet! This is all creative commons
after all.

I'm not trying to steal anyone's thunder, I'm trying to help developers
write more secure code, that's it.

This is not a hijack or plagiarism, either. I included Jeff's name as an
author of the new cheat sheet and I'm honoring the creative commons
license.

The last thing we need to do is make the current XSS cheat sheet even
longer in my opinion. I think a concise "abridged" version is *very*
appropriate.

And so, I'm going to keep working on this. Try and stop me. :)

- Jim


> It seems both documents are valuable. Since we have an established XSS
> prevention cheat sheet, shouldn't we work to integrate enhancements
> into that document?  Clearly "cheat sheets" are meant to be concise,
> so we'll need to consider that element. But, we should constantly
> stride to enhance and evolve our materials.
>
>
>
> Michael Coates
> OWASP
>
>
>
> On Nov 16, 2011, at 7:00 AM, Eoin wrote:
>
>> Was just going to say about the escaping rules too!
>> Not everyone can use esapi so what's the solution???
>>
>>
>>
>>  
>>
>> On 16 Nov 2011, at 14:51, Jeff Williams <jeff.williams at owasp.org
>> <mailto:jeff.williams at owasp.org>> wrote:
>>
>>> Jim,
>>>
>>> Why haven't you forwarded those comments from the OWASP community to
>>> me?  The current XSS prevention cheatsheet is the 4th most viewed
>>> page at OWASP with almost 20,000 reads a month.  What I can't
>>> understand is why you think it's a good idea to fork one of the most
>>> successful pages at OWASP.
>>>
>>> Yes OWASP is open, and you're within your rights to do this.  But I
>>> have always tried to support our project leaders rather than just
>>> fork when they aren't exactly in line with my view.  For example, I
>>> developed a whole (positive) maturity model called Catalyst after
>>> the first Portugal summit, but didn't release it because I thought
>>> it would be better to throw my support behind OpenSAMM.
>>>
>>> Look - I'm not opposed to coming up with a matrix style reference as
>>> part of the cheatsheet.  I even sent you some mockups about a year
>>> ago to try to figure it out.  But I don't think that hijacking a
>>> successful project is good for our community.  I'm not asking you
>>> not to do this, I'm asking you to work with the existing successful
>>> project.
>>>
>>> By the way, your draft has some significant problems, and it's
>>> exactly because you haven't taken injection theory into account. I
>>> believe that you *have* to justify the escaping rules you propose,
>>> or people will not understand them.  If they don't understand, they
>>> will not implement properly.
>>>
>>> --Jeff
>>>
>>>
>>>
>>> On Tue, Nov 15, 2011 at 10:09 PM, Jim Manico <jim.manico at owasp.org
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>     Folks,
>>>
>>>     I've been working on a different "view" of XSS Defense mechanism
>>>     which
>>>     I've posted here
>>>     https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
>>>
>>>     My goal is to build a "traditional" short-form developer cheat
>>>     sheet in
>>>     the style of http://devcheatsheet.com <http://devcheatsheet.com/>
>>>
>>>     This is an alternate view of
>>>     https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
>>>
>>>     I though this was a cool idea, but it's ruffling feathers and
>>>     I've been
>>>     asked specifically NOT to do this.
>>>
>>>     Help please. :)
>>>
>>>     Do you find this to be valuable?
>>>     Do you think this undermines the work of the current XSS Prevention
>>>     Cheat Sheet?
>>>     Do you think one method is more/digestible than the other?
>>>     Do you think both of these are of value?
>>>
>>>     Any feedback is appreciated.
>>>
>>>     --
>>>     Jim Manico
>>>
>>>     Connections Committee Chair
>>>     Cheatsheet Series Product Manager
>>>     OWASP Podcast Producer/Host
>>>
>>>     jim at owasp.org <mailto:jim at owasp.org>
>>>     www.owasp.org <http://www.owasp.org/>
>>>
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org
www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111116/b6acef60/attachment-0001.html 


More information about the OWASP-Leaders mailing list