[Owasp-leaders] Abridged XSS Cheat Sheet

Colin Watson colin.watson at owasp.org
Wed Nov 16 15:34:52 EST 2011


I think there has been some feedback about having a consistent format
for the cheat sheet series.  Whilst that may be very difficult with
the full versions, and since it might artificially constrain them,
perhaps this abridged idea could come up with a short-format which
would work for ALL the cheat sheets.

My proviso would be that the abridged versions must not be
incompatible with the master full versions, and must link/refer to
those for further information.

Of course coming up with an abridged format that works for all the
various cheat sheets won't necessarily be easy, but they may be more
distributable, and tease people into the full versions, ...then the
guides, ...then membership, ...then running a project, ...etc.

Colin

On 16 November 2011 19:43, Sherif Koussa <sherif.koussa at owasp.org> wrote:
> I second Michael on that. I believe there is room AND need for the longer
> and the shorter versions of the XSS cheat sheets and every other cheat
> sheets for that matter.
>
> Yes, some developers would want to understand everything related to XSS and
> the rational behind output encoding, injection theory and all, but there
> will be some who just want to understand what XSS is all about in less than
> 5 minutes. Developers are smart and creative people and they know how to fix
> their applications. What we have to do is to provide them key and get out of
> their way.
>
> There has to be a way to simplify all app sec information to devs because
> honestly they don't and will not care about security unless it is put in a
> bite size dose that they can easily chew on without choking.
>
> Regards,
> Sherif
>
> On Wed, Nov 16, 2011 at 12:53 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
>>
>> It seems both documents are valuable. Since we have an established XSS
>> prevention cheat sheet, shouldn't we work to integrate enhancements into
>> that document?  Clearly "cheat sheets" are meant to be concise, so we'll
>> need to consider that element. But, we should constantly stride to enhance
>> and evolve our materials.
>>
>>
>> Michael Coates
>> OWASP
>>
>>
>>
>> On Nov 16, 2011, at 7:00 AM, Eoin wrote:
>>
>> Was just going to say about the escaping rules too!
>> Not everyone can use esapi so what's the solution???
>>
>>
>>
>> On 16 Nov 2011, at 14:51, Jeff Williams <jeff.williams at owasp.org> wrote:
>>
>> Jim,
>> Why haven't you forwarded those comments from the OWASP community to me?
>>  The current XSS prevention cheatsheet is the 4th most viewed page at OWASP
>> with almost 20,000 reads a month.  What I can't understand is why you think
>> it's a good idea to fork one of the most successful pages at OWASP.
>> Yes OWASP is open, and you're within your rights to do this.  But I have
>> always tried to support our project leaders rather than just fork when they
>> aren't exactly in line with my view.  For example, I developed a whole
>> (positive) maturity model called Catalyst after the first Portugal summit,
>> but didn't release it because I thought it would be better to throw my
>> support behind OpenSAMM.
>> Look - I'm not opposed to coming up with a matrix style reference as part
>> of the cheatsheet.  I even sent you some mockups about a year ago to try to
>> figure it out.  But I don't think that hijacking a successful project is
>> good for our community.  I'm not asking you not to do this, I'm asking you
>> to work with the existing successful project.
>> By the way, your draft has some significant problems, and it's exactly
>> because you haven't taken injection theory into account. I believe that you
>> *have* to justify the escaping rules you propose, or people will not
>> understand them.  If they don't understand, they will not implement
>> properly.
>> --Jeff
>>
>>
>> On Tue, Nov 15, 2011 at 10:09 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> Folks,
>>>
>>> I've been working on a different "view" of XSS Defense mechanism which
>>> I've posted here
>>> https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
>>>
>>> My goal is to build a "traditional" short-form developer cheat sheet in
>>> the style of http://devcheatsheet.com
>>>
>>> This is an alternate view of
>>>
>>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
>>>
>>> I though this was a cool idea, but it's ruffling feathers and I've been
>>> asked specifically NOT to do this.
>>>
>>> Help please. :)
>>>
>>> Do you find this to be valuable?
>>> Do you think this undermines the work of the current XSS Prevention
>>> Cheat Sheet?
>>> Do you think one method is more/digestible than the other?
>>> Do you think both of these are of value?
>>>
>>> Any feedback is appreciated.
>>>
>>> --
>>> Jim Manico
>>>
>>> Connections Committee Chair
>>> Cheatsheet Series Product Manager
>>> OWASP Podcast Producer/Host
>>>
>>> jim at owasp.org
>>> www.owasp.org
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list