search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.1k stars 3.8k forks source link

Address GitHub issue #1092 #1334

Closed kwwall closed 4 months ago

kwwall commented 4 months ago

I think this PR could still use a lot of work, especially to be made a bit more succinct. Unfortunately, my middle name is "TL;DR", so I'm not the best one for a day job at Reader's Digest, but surely one of our reviewers have those mad skills.

For the most part, this is largely based on ESAPI wiki post, XSS Defense: No Silver Bullets, which I wrote a while ago. That is why there are ESAPI code references here. That's because that is the output encoder that I'm most familiar with. (Duh!) If @jmanico wants to switch them to use the equivalent member function calls from the OWASP Java Encoder project, I have no objections.

I have allowed direct edits to this PR by the CS maintainers, so if you have something to fix, just have at it. And regarding something to "fix", if this is too long, we could consider collapsible sections. That's up to the CS reviewers.

Note, if there are linter errors, I will check them in the build status logs and address them in a subsequent commit.

This PR covers issue #1092

kwwall commented 4 months ago

Sure would be nice if it showed all the f'ing lint errors at once. Sigh. If it didn;t require npm to run, I'd run it locally first.

otkd commented 4 months ago

Sure would be nice if it showed all the f'ing lint errors at once. Sigh. If it didn;t require npm to run, I'd run it locally first.

@kwwall I've found this VSCode extension to work pretty well: https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint

jmanico commented 4 months ago

Kevin, can you professionalize this a bit? "a silver bullet to slay their XSS werewolves if you will." throws me off a little.

kwwall commented 4 months ago

@jmanico - Yeah, agree. That doesn't make any sense apart from the original ESAPI wiki page title, which was ""XSS Defense: No Silver Bullets" and was an homage to Frederick Brooks' classic article "No Silver Bullet: Essence and Accidents of Software Engineering" that was posted in the IEEE Computer in April, 1987. I meant to remove it, but just forgot. (And for those of you for whom Brooks' article was before your time, I strongly urge you to go back and read it. I promise you it is time well spent.)