[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers
Eric Sheridan
eric.sheridan at owasp.org
Wed Feb 27 16:17:26 UTC 2013
Thought this was an interesting thread to forward to the leaders. Looks
like Coverity is pushing a new XSS cheatsheet via WASC which is designed
to "promote our lib" (CSL) instead of contributing to OWASP XSS
Cheatsheet which "is first of all promoting ESAPI".
Someone with more PC people skills (i.e. not me) might try to get these
efforts merged.
Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com
-------- Original Message --------
Subject: Re: [WEB SECURITY] XSS cheat sheet for developers
Date: Wed, 27 Feb 2013 07:45:22 -0800
From: romain <r at fuckthespam.com>
To: Erlend Oftedal <erlend at oftedal.no>
CC: websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>
Argh, sorry about the blog and IE10. Not the first time I hear that...
Concerning the CSS string escaper we did some testing, but not on super
old browsers actually. However, we looked at the how CSS parsers are
recovering from errors, and what characters need to be escaped. That's
mostly why our CSS string escaper will escape new lines chars and more.
Still, we have some more work to do; CSS parsers are a real pain.
Contributing to OWASP XSS prevention cheat sheet is something we talked
about. However, the OWASP document is first of all promoting ESAPI when
we are sorta promoting our lib. We are also talking about HTML contexts
at a more fine grain level and it's difficult to put this in OWASP
framework.
The OWASP cheat sheet format doesn't also play well with what we wanted
to do. They are driven by few rules for preventing XSS, we're more about
code example.
Romain
 - @rgaucher
On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
<mailto:erlend at oftedal.no>> wrote:
Hard to tell really as your website blocks IE10 thinking it's IE6
(not optimizing for old browsers is ok, but blocking is an
antipattern - especially when it's wrong).
Joke aside, the document itself seems decent. It's easy to get an
overview over the context. Did you test your CSS escaping in older
browsers? I seem to remember there were some problems, and that
escaping itself was not enough.
Also, why build your own cheat sheet instead of contributing to the
established free and open OWASP XSS Prevention Cheat Sheet?
Best regards,
Erlend Oftedal
On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
<mailto:r at fuckthespam.com>> wrote:
Everybody,
We release an XSS cheat sheet for developers today. The document
talks about several contexts (13 combinations right now, but
we'll be improving it).
Some more info are available on Coverity blog:
 Â
https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
Our goal is to keep improving this cheat sheet while adding
escapers and sanitizers to our library:
  https://github.com/coverity/coverity-security-library
Cheers,
Romain
 Â
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity at lists.webappsec.org
<mailto:websecurity at lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
More information about the OWASP-Leaders
mailing list