
XSS (Cross Site Scripting) Cheat Sheet - nickb
http://ha.ckers.org/xss.html
======
rnknt
This thing is oooooold, but useful ;)

~~~
nickb
_"Also as a consequence of the introduction of new bugs, program maintenance
requires far more system testing per statement written than any other
programming. Theoretically, after each fix one must run the entire batch of
test cases previously run against the system, to ensure that it has not been
damaged in an obscure way. In practice, such regression testing must indeed
approximate this theoretical idea, and it is very costly." -- Fred Brooks, The
Mythical Man Month (p 122)_

------
axod
Surely a checklist is missing the whole point.

Don't go through the list checking for each one, treat _everything_ as evil,
and only allow through what you _know_ is good.

~~~
nostrademons
That's a much better general principle, but oftentimes you have to use third-
party software which you're not sure is safe. A checklist gives you a bunch of
tests that you can quickly run to see if the developers were paying attention
to XSS issues or not. You can decide whether or not to use the library based
on the results.

Spez said recently that over half of Reddit's XSS issues were caused by
Markdown. It's not unusual for websites to require 3rd-party forums or comment
engines or skinning systems, too.

~~~
axod
Good point. Relying on other peoples code is horrible. Has to be done
_sometimes_ though ;)

------
redorb
Guess this is in light of Google's App Engine page getting hacked?

~~~
morbidkk
despite <http://code.google.com/p/google-caja/>

