[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers
Eric Sheridan
eric.sheridan at owasp.org
Wed Feb 27 16:31:00 UTC 2013
Manico is on it... Thanks Jim.
Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com
On 2/27/13 11:18 AM, Ryan Barnett wrote:
> Just to clarify - this isn't being promoted by WASC. Romain simply sent an email to the public web security mail list.
>
> --
> Ryan Barnett
>
>
> On Feb 27, 2013, at 11:17 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
>
>> Thought this was an interesting thread to forward to the leaders. Looks
>> like Coverity is pushing a new XSS cheatsheet via WASC which is designed
>> to "promote our lib" (CSL) instead of contributing to OWASP XSS
>> Cheatsheet which "is first of all promoting ESAPI".
>>
>> Someone with more PC people skills (i.e. not me) might try to get these
>> efforts merged.
>>
>> Sincerely,
>> Eric Sheridan
>> (twitter) @eric_sheridan
>> (blog) http://ericsheridan.blogspot.com
>>
>>
>> -------- Original Message --------
>> Subject: Re: [WEB SECURITY] XSS cheat sheet for developers
>> Date: Wed, 27 Feb 2013 07:45:22 -0800
>> From: romain <r at fuckthespam.com>
>> To: Erlend Oftedal <erlend at oftedal.no>
>> CC: websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>
>>
>>
>>
>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>>
>> Concerning the CSS string escaper we did some testing, but not on super
>> old browsers actually. However, we looked at the how CSS parsers are
>> recovering from errors, and what characters need to be escaped. That's
>> mostly why our CSS string escaper will escape new lines chars and more.
>> Still, we have some more work to do; CSS parsers are a real pain.
>>
>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>> about. However, the OWASP document is first of all promoting ESAPI when
>> we are sorta promoting our lib. We are also talking about HTML contexts
>> at a more fine grain level and it's difficult to put this in OWASP
>> framework.
>> The OWASP cheat sheet format doesn't also play well with what we wanted
>> to do. They are driven by few rules for preventing XSS, we're more about
>> code example.
>>
>> Romain
>> Â - @rgaucher
>>
>>
>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>> <mailto:erlend at oftedal.no>> wrote:
>>
>> Hard to tell really as your website blocks IE10 thinking it's IE6
>> (not optimizing for old browsers is ok, but blocking is an
>> antipattern - especially when it's wrong).
>>
>> Joke aside, the document itself seems decent. It's easy to get an
>> overview over the context. Did you test your CSS escaping in older
>> browsers? I seem to remember there were some problems, and that
>> escaping itself was not enough.
>>
>> Also, why build your own cheat sheet instead of contributing to the
>> established free and open OWASP XSS Prevention Cheat Sheet?
>>
>> Best regards,
>> Erlend Oftedal
>>
>>
>> On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>> <mailto:r at fuckthespam.com>> wrote:
>>
>> Everybody,
>> We release an XSS cheat sheet for developers today. The document
>> talks about several contexts (13 combinations right now, but
>> we'll be improving it).
>> Some more info are available on Coverity blog:
>> Â Â
>> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>
>> Our goal is to keep improving this cheat sheet while adding
>> escapers and sanitizers to our library:
>> Â Â https://github.com/coverity/coverity-security-library
>>
>> Cheers,
>> Romain
>> Â Â
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> <mailto:websecurity at lists.webappsec.org>
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>>
>>
>> <Attached Message Part>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list