[Owasp-leaders] Fwd: Re: [WEB SECURITY] XSS cheat sheet for developers

Eric Sheridan eric.sheridan at owasp.org
Wed Feb 27 16:31:00 UTC 2013


Manico is on it... Thanks Jim.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 2/27/13 11:18 AM, Ryan Barnett wrote:
> Just to clarify - this isn't being promoted by WASC. Romain simply sent an email to the public web security mail list. 
> 
> --
> Ryan Barnett
> 
> 
> On Feb 27, 2013, at 11:17 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
> 
>> Thought this was an interesting thread to forward to the leaders. Looks
>> like Coverity is pushing a new XSS cheatsheet via WASC which is designed
>> to "promote our lib" (CSL) instead of contributing to OWASP XSS
>> Cheatsheet which "is first of all promoting ESAPI".
>>
>> Someone with more PC people skills (i.e. not me) might try to get these
>> efforts merged.
>>
>> Sincerely,
>> Eric Sheridan
>> (twitter) @eric_sheridan
>> (blog) http://ericsheridan.blogspot.com
>>
>>
>> -------- Original Message --------
>> Subject:    Re: [WEB SECURITY] XSS cheat sheet for developers
>> Date:    Wed, 27 Feb 2013 07:45:22 -0800
>> From:    romain <r at fuckthespam.com>
>> To:    Erlend Oftedal <erlend at oftedal.no>
>> CC:    websecurity at lists.webappsec.org <websecurity at lists.webappsec.org>
>>
>>
>>
>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>>
>> Concerning the CSS string escaper we did some testing, but not on super
>> old browsers actually. However, we looked at the how CSS parsers are
>> recovering from errors, and what characters need to be escaped. That's
>> mostly why our CSS string escaper will escape new lines chars and more.
>> Still, we have some more work to do; CSS parsers are a real pain.
>>
>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>> about. However, the OWASP document is first of all promoting ESAPI when
>> we are sorta promoting our lib. We are also talking about HTML contexts
>> at a more fine grain level and it's difficult to put this in OWASP
>> framework.
>> The OWASP cheat sheet format doesn't also play well with what we wanted
>> to do. They are driven by few rules for preventing XSS, we're more about
>> code example.
>>
>> Romain
>> Â - @rgaucher
>>
>>
>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>> <mailto:erlend at oftedal.no>> wrote:
>>
>>    Hard to tell really as your website blocks IE10 thinking it's IE6
>>    (not optimizing for old browsers is ok, but blocking is an
>>    antipattern - especially when it's wrong).
>>
>>    Joke aside, the document itself seems decent. It's easy to get an
>>    overview over the context. Did you test your CSS escaping in older
>>    browsers? I seem to remember there were some problems, and that
>>    escaping itself was not enough.
>>
>>    Also, why build your own cheat sheet instead of contributing to the
>>    established free and open OWASP XSS Prevention Cheat Sheet?
>>
>>    Best regards,
>>    Erlend Oftedal
>>
>>
>>    On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>>    <mailto:r at fuckthespam.com>> wrote:
>>
>>        Everybody,
>>        We release an XSS cheat sheet for developers today. The document
>>        talks about several contexts (13 combinations right now, but
>>        we'll be improving it).
>>        Some more info are available on Coverity blog:
>>        Â Â
>> https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>
>>        Our goal is to keep improving this cheat sheet while adding
>>        escapers and sanitizers to our library:
>>        Â Â https://github.com/coverity/coverity-security-library
>>
>>        Cheers,
>>        Romain
>>        Â Â
>>
>>        _______________________________________________
>>        The Web Security Mailing List
>>
>>        WebSecurity RSS Feed
>>        http://www.webappsec.org/rss/websecurity.rss
>>
>>        Join WASC on LinkedIn
>>        http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>        WASC on Twitter
>>        http://twitter.com/wascupdates
>>
>>        websecurity at lists.webappsec.org
>>        <mailto:websecurity at lists.webappsec.org>
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>>
>>
>> <Attached Message Part>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list