[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers

Ryan Barnett ryan.barnett at owasp.org
Wed Feb 27 16:18:38 UTC 2013


Just to clarify - this isn't being promoted by WASC. Romain simply sent an email to the public web security mail list. 

--
Ryan Barnett


On Feb 27, 2013, at 11:17 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:

> Thought this was an interesting thread to forward to the leaders. Looks
> like Coverity is pushing a new XSS cheatsheet via WASC which is designed
> to "promote our lib" (CSL) instead of contributing to OWASP XSS
> Cheatsheet which "is first of all promoting ESAPI".
> 
> Someone with more PC people skills (i.e. not me) might try to get these
> efforts merged.
> 
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
> 
> 
> -------- Original Message --------
> Subject:    Re: [WEB SECURITY] XSS cheat sheet for developers
> Date:    Wed, 27 Feb 2013 07:45:22 -0800
> From:    romain <r at fuckthespam.com>
> To:    Erlend Oftedal <erlend at oftedal.no>
> CC:    websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>
> 
> 
> 
> Argh, sorry about the blog and IE10. Not the first time I hear that...
> 
> Concerning the CSS string escaper we did some testing, but not on super
> old browsers actually. However, we looked at the how CSS parsers are
> recovering from errors, and what characters need to be escaped. That's
> mostly why our CSS string escaper will escape new lines chars and more.
> Still, we have some more work to do; CSS parsers are a real pain.
> 
> Contributing to OWASP XSS prevention cheat sheet is something we talked
> about. However, the OWASP document is first of all promoting ESAPI when
> we are sorta promoting our lib. We are also talking about HTML contexts
> at a more fine grain level and it's difficult to put this in OWASP
> framework.
> The OWASP cheat sheet format doesn't also play well with what we wanted
> to do. They are driven by few rules for preventing XSS, we're more about
> code example.
> 
> Romain
> Â - @rgaucher
> 
> 
> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
> <mailto:erlend at oftedal.no>> wrote:
> 
>    Hard to tell really as your website blocks IE10 thinking it's IE6
>    (not optimizing for old browsers is ok, but blocking is an
>    antipattern - especially when it's wrong).
> 
>    Joke aside, the document itself seems decent. It's easy to get an
>    overview over the context. Did you test your CSS escaping in older
>    browsers? I seem to remember there were some problems, and that
>    escaping itself was not enough.
> 
>    Also, why build your own cheat sheet instead of contributing to the
>    established free and open OWASP XSS Prevention Cheat Sheet?
> 
>    Best regards,
>    Erlend Oftedal
> 
> 
>    On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>    <mailto:r at fuckthespam.com>> wrote:
> 
>        Everybody,
>        We release an XSS cheat sheet for developers today. The document
>        talks about several contexts (13 combinations right now, but
>        we'll be improving it).
>        Some more info are available on Coverity blog:
>        Â Â
> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
> 
>        Our goal is to keep improving this cheat sheet while adding
>        escapers and sanitizers to our library:
>        Â Â https://github.com/coverity/coverity-security-library
> 
>        Cheers,
>        Romain
>        Â Â
> 
>        _______________________________________________
>        The Web Security Mailing List
> 
>        WebSecurity RSS Feed
>        http://www.webappsec.org/rss/websecurity.rss
> 
>        Join WASC on LinkedIn
>        http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
>        WASC on Twitter
>        http://twitter.com/wascupdates
> 
>        websecurity at lists.webappsec.org
>        <mailto:websecurity at lists.webappsec.org>
> 
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> 
> 
> 
> 
> <Attached Message Part>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list