[Owasp-leaders] ZAP as a Service
Jim Manico
jim.manico at owasp.org
Thu May 28 16:15:18 UTC 2015
Avoid any UI/Template framework that...
1) Forces you to do output encoding/escaping manually or does not do
context aware auto-escaping.
2) Is lacking HTML sanitization
3) Does not support CSP
The two best UI platforms right now (in terms of XSS resistance), IMO,
are Go Templates and Angular.
Aloha,
Jim
On 5/28/15 5:38 PM, psiinon wrote:
> I was going to have this discussion on the ZAP Dev Group, but I'm also
> very interested to here the opinions of the members of this list :)
>
> Angular is definitely on my list to look closely at, as is React.js
>
> Any other suggestions, either to look at or avoid?
>
> Many thanks,
>
> Simon
>
> On Thu, May 28, 2015 at 4:27 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> I personally recommend Angular templates. This is quickly becoming
> the defacto-standard for XSS resistant templating. It's one of the
> only popular context-aware auto-escaping templates, it has a
> built-in HTML sanitizer, and it offers an integrated CSP module.
>
> If you have a greenfield project choice - go angular. Just make
> sure your developers are using the HTML sanitizer anytime they
> disable escaping for a certain field.
>
> Aloha,
> Jim
>
>
>
>
>
> On 5/28/15 4:38 PM, Dinis Cruz wrote:
>> Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you
>> want a NodeJS front-end that runs with Jade Templates (with no or
>> minimal Javascript)
>>
>> That is what we spend our days coding in :)
>>
>> Dinis
>>
>> On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com
>> <mailto:psiinon at gmail.com>> wrote:
>>
>> We certainly dont want to hand-craft a load of JS and cope
>> with all of the different browser variations ;)
>> So yes, I expect we'll be using a JS framework.
>> I've started investigating them, but its early days - this is
>> one we'll definitely be discussing on the ZAP Developer Group.
>>
>> Cheers,
>>
>> Simon
>>
>> On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel
>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>> wrote:
>>
>> Hi Simon
>>
>>
>> You mentioned you will use HTML5 , are you planning to
>> use this in combination with any JavaScript frameworks or
>> the use of JSP could be implemented?
>>
>> regards
>>
>> Johanna
>>
>> On Thu, May 28, 2015 at 7:23 AM, psiinon
>> <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>>
>> Leaders,
>>
>> Last week at Amsterdam I announced a new direction
>> for ZAP - ZAP as a Service (ZaaS).
>> I've just published a blog post which gives a few
>> more details:
>> http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>>
>> I think this is a major development for ZAP, which is
>> why I've posted to this list ;)
>>
>> Cheers,
>>
>> Simon
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150528/12f0a4fe/attachment-0001.html>
More information about the OWASP-Leaders
mailing list