Re: JS XSS protection library

[Robin Wood <robin () digininja org>]

Thanks for the suggestions, as long as it gives the impression it is
filtering I'm happy so I'll see which of these is the easiest to drop in.

Robin
On Jul 14, 2013 3:47 AM, "Ryan Dewhurst" <ryandewhurst () gmail com> wrote:

> The OWASP DOM XSS Prevention Cheat Sheet (if you haven't come across it
> already) lists these:
>
> "
> 1.ESAPI
> 2.Apache Commons String Utils
> 3.Jtidy
> 4.Your company’s custom implementation.
>
> Some work on a black list while others ignore important characters like
> “<” and “>”. ESAPI is one of the few which works on a whitelist and encodes
> all non-alphanumeric characters. It is important to use an encoding library
> that understands which characters can be used to exploit vulnerabilies in
> their respective contexts. Misconceptions abound related to the proper
> encoding that is required.
> " - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
>
> I have no experience with any of them, so can't recommend any.
>
>
> On Sun, Jul 7, 2013 at 8:51 PM, Robin Wood <robin () digininja org> wrote:
>
> > Can anyone suggest a JS XSS protection library?
> >
> > Please don't preach they don't work its for a special project so even a
> > bad one will do.
> >
> > Robin
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com