[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers

Eric Sheridan eric.sheridan at owasp.org
Wed Feb 27 16:17:26 UTC 2013


Thought this was an interesting thread to forward to the leaders. Looks
like Coverity is pushing a new XSS cheatsheet via WASC which is designed
to "promote our lib" (CSL) instead of contributing to OWASP XSS
Cheatsheet which "is first of all promoting ESAPI".

Someone with more PC people skills (i.e. not me) might try to get these
efforts merged.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com


-------- Original Message --------
Subject: 	Re: [WEB SECURITY] XSS cheat sheet for developers
Date: 	Wed, 27 Feb 2013 07:45:22 -0800
From: 	romain <r at fuckthespam.com>
To: 	Erlend Oftedal <erlend at oftedal.no>
CC: 	websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>



Argh, sorry about the blog and IE10. Not the first time I hear that...

Concerning the CSS string escaper we did some testing, but not on super
old browsers actually. However, we looked at the how CSS parsers are
recovering from errors, and what characters need to be escaped. That's
mostly why our CSS string escaper will escape new lines chars and more.
Still, we have some more work to do; CSS parsers are a real pain.

Contributing to OWASP XSS prevention cheat sheet is something we talked
about. However, the OWASP document is first of all promoting ESAPI when
we are sorta promoting our lib. We are also talking about HTML contexts
at a more fine grain level and it's difficult to put this in OWASP
framework.
The OWASP cheat sheet format doesn't also play well with what we wanted
to do. They are driven by few rules for preventing XSS, we're more about
code example.

Romain
 - @rgaucher


On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
<mailto:erlend at oftedal.no>> wrote:

    Hard to tell really as your website blocks IE10 thinking it's IE6
    (not optimizing for old browsers is ok, but blocking is an
    antipattern - especially when it's wrong).

    Joke aside, the document itself seems decent. It's easy to get an
    overview over the context. Did you test your CSS escaping in older
    browsers? I seem to remember there were some problems, and that
    escaping itself was not enough.

    Also, why build your own cheat sheet instead of contributing to the
    established free and open OWASP XSS Prevention Cheat Sheet?

    Best regards,
    Erlend Oftedal


    On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
    <mailto:r at fuckthespam.com>> wrote:

        Everybody,
        We release an XSS cheat sheet for developers today. The document
        talks about several contexts (13 combinations right now, but
        we'll be improving it).
        Some more info are available on Coverity blog:
        Â Â
https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers

        Our goal is to keep improving this cheat sheet while adding
        escapers and sanitizers to our library:
        Â Â https://github.com/coverity/coverity-security-library

        Cheers,
        Romain
        Â Â

        _______________________________________________
        The Web Security Mailing List

        WebSecurity RSS Feed
        http://www.webappsec.org/rss/websecurity.rss

        Join WASC on LinkedIn
        http://www.linkedin.com/e/gis/83336/4B20E4374DBA

        WASC on Twitter
        http://twitter.com/wascupdates

        websecurity at lists.webappsec.org
        <mailto:websecurity at lists.webappsec.org>

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





-------------- next part --------------
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



More information about the OWASP-Leaders mailing list