The Open Web Application Security Project (OWASP) has recently released a XSS (Cross Site Scripting) Prevention Cheat Sheet. This cheat sheet helps developers identify how and when to output encode or escape untrusted user data when including it within a page. I am particularly excited about this resource because it not only discusses the case in which HTML encoding is necessary, but also helps layout rules or conditions for using JavaScript, CSS, Attribute, and other encoding schemes.
It is important for developers to understand that the appropriate encoding scheme must be applied based on the context in which untrusted user data is being included within the page.
As a side note, RSnake's XSS cheat sheet, used by security staff to identify cross-site scripting attacks, has been around for a while. These two cheat sheets seem to compliment each other well.
Friday, January 23, 2009
Subscribe to:
Posts (Atom)