Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: JS XSS protection library
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Wed, 10 Jul 2013 16:38:51 +0200

The OWASP DOM XSS Prevention Cheat Sheet (if you haven't come across it
already) lists these:

"
1.ESAPI
2.Apache Commons String Utils
3.Jtidy
4.Your company’s custom implementation.

Some work on a black list while others ignore important characters like “<”
and “>”. ESAPI is one of the few which works on a whitelist and encodes all
non-alphanumeric characters. It is important to use an encoding library
that understands which characters can be used to exploit vulnerabilies in
their respective contexts. Misconceptions abound related to the proper
encoding that is required.
" - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

I have no experience with any of them, so can't recommend any.


On Sun, Jul 7, 2013 at 8:51 PM, Robin Wood <robin () digininja org> wrote:

Can anyone suggest a JS XSS protection library?

Please don't preach they don't work its for a special project so even a
bad one will do.

Robin

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]