[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers
Ryan Barnett
ryan.barnett at owasp.org
Wed Feb 27 16:18:38 UTC 2013
Just to clarify - this isn't being promoted by WASC. Romain simply sent an email to the public web security mail list.
--
Ryan Barnett
On Feb 27, 2013, at 11:17 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
> Thought this was an interesting thread to forward to the leaders. Looks
> like Coverity is pushing a new XSS cheatsheet via WASC which is designed
> to "promote our lib" (CSL) instead of contributing to OWASP XSS
> Cheatsheet which "is first of all promoting ESAPI".
>
> Someone with more PC people skills (i.e. not me) might try to get these
> efforts merged.
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
>
> -------- Original Message --------
> Subject: Re: [WEB SECURITY] XSS cheat sheet for developers
> Date: Wed, 27 Feb 2013 07:45:22 -0800
> From: romain <r at fuckthespam.com>
> To: Erlend Oftedal <erlend at oftedal.no>
> CC: websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>
>
>
>
> Argh, sorry about the blog and IE10. Not the first time I hear that...
>
> Concerning the CSS string escaper we did some testing, but not on super
> old browsers actually. However, we looked at the how CSS parsers are
> recovering from errors, and what characters need to be escaped. That's
> mostly why our CSS string escaper will escape new lines chars and more.
> Still, we have some more work to do; CSS parsers are a real pain.
>
> Contributing to OWASP XSS prevention cheat sheet is something we talked
> about. However, the OWASP document is first of all promoting ESAPI when
> we are sorta promoting our lib. We are also talking about HTML contexts
> at a more fine grain level and it's difficult to put this in OWASP
> framework.
> The OWASP cheat sheet format doesn't also play well with what we wanted
> to do. They are driven by few rules for preventing XSS, we're more about
> code example.
>
> Romain
> Â - @rgaucher
>
>
> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
> <mailto:erlend at oftedal.no>> wrote:
>
> Hard to tell really as your website blocks IE10 thinking it's IE6
> (not optimizing for old browsers is ok, but blocking is an
> antipattern - especially when it's wrong).
>
> Joke aside, the document itself seems decent. It's easy to get an
> overview over the context. Did you test your CSS escaping in older
> browsers? I seem to remember there were some problems, and that
> escaping itself was not enough.
>
> Also, why build your own cheat sheet instead of contributing to the
> established free and open OWASP XSS Prevention Cheat Sheet?
>
> Best regards,
> Erlend Oftedal
>
>
> On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
> <mailto:r at fuckthespam.com>> wrote:
>
> Everybody,
> We release an XSS cheat sheet for developers today. The document
> talks about several contexts (13 combinations right now, but
> we'll be improving it).
> Some more info are available on Coverity blog:
> Â Â
> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>
> Our goal is to keep improving this cheat sheet while adding
> escapers and sanitizers to our library:
> Â Â https://github.com/coverity/coverity-security-library
>
> Cheers,
> Romain
> Â Â
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> <mailto:websecurity at lists.webappsec.org>
>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
>
> <Attached Message Part>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list