

XSS Prevention Cheat Sheet - wooter
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

======
ef4
Oh, the irony. I protect myself from XSS with NoScript. Which prevents me from
reading the text of this article.

Way to not fallback gracefully.

~~~
yycom
In firebug, remove the first html > head > style element:

    
    
       <style> body { display : none;} </style>

~~~
ivank
or Firefox menu -> View -> Page Style -> No Style

------
Ownatik
Good stuff but not really a cheat sheet...

~~~
Xk
XSS prevention cheat sheet:

1) Never send untrusted data to the client.

How you do that isn't terribly important. It just matters that you do. Which
is what that page is talking about: what you can do in order to never send
untrusted data to the client.

Web developers would love it if there was a paragraph explanation that could
explain how to prevent all XSS vulnerabilities in every site in detail, but
there isn't.

~~~
Xurinos
That's excellent! We can pair that with the other prevention cheat sheet:

1) Never trust what the client sends you.

AKA "How to prevent SQL injection and other such nasties"

~~~
tptacek
These are the two least-useful pieces of advice in software security. Everyone
has heard them, _nobody_ is secure.

Great counter-indication of software security: "We have no SQL injection. No
way. You'd get fired." What that tells me? You're not looking out for SQL
injection; you think it can't happen.

~~~
khafra
Someone here--it may have been you--highlighted this problem once as the
difference between a diet that works and public policy on diet that works. If
you actually follow the (security guidelines|diet), you'll be good; but
naively telling people has very little effect.

