CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Address GitHub issue #1092

Open kwwall opened this issue 4 months ago • 1 comments

I think this PR could still use a lot of work, especially to be made a bit more succinct. Unfortunately, my middle name is "TL;DR", so I'm not the best one for a day job at Reader's Digest, but surely one of our reviewers have those mad skills.

For the most part, this is largely based on ESAPI wiki post, XSS Defense: No Silver Bullets, which I wrote a while ago. That is why there are ESAPI code references here. That's because that is the output encoder that I'm most familiar with. (Duh!) If @jmanico wants to switch them to use the equivalent member function calls from the OWASP Java Encoder project, I have no objections.

I have allowed direct edits to this PR by the CS maintainers, so if you have something to fix, just have at it. And regarding something to "fix", if this is too long, we could consider collapsible sections. That's up to the CS reviewers.

Note, if there are linter errors, I will check them in the build status logs and address them in a subsequent commit.

This PR covers issue #1092

kwwall avatar Feb 22 '24 02:02 kwwall

Sure would be nice if it showed all the f'ing lint errors at once. Sigh. If it didn;t require npm to run, I'd run it locally first.

kwwall avatar Feb 22 '24 02:02 kwwall

Sure would be nice if it showed all the f'ing lint errors at once. Sigh. If it didn;t require npm to run, I'd run it locally first.

@kwwall I've found this VSCode extension to work pretty well: https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint

otkd avatar Feb 24 '24 15:02 otkd

Kevin, can you professionalize this a bit? "a silver bullet to slay their XSS werewolves if you will." throws me off a little.

jmanico avatar Feb 25 '24 21:02 jmanico

@jmanico - Yeah, agree. That doesn't make any sense apart from the original ESAPI wiki page title, which was ""XSS Defense: No Silver Bullets" and was an homage to Frederick Brooks' classic article "No Silver Bullet: Essence and Accidents of Software Engineering" that was posted in the IEEE Computer in April, 1987. I meant to remove it, but just forgot. (And for those of you for whom Brooks' article was before your time, I strongly urge you to go back and read it. I promise you it is time well spent.)

kwwall avatar Feb 26 '24 02:02 kwwall