XSS (Cross Site Scripting) Cheat Sheet

rnknt · on April 9, 2008

This thing is oooooold, but useful ;)

nickb · on April 9, 2008

"Also as a consequence of the introduction of new bugs, program maintenance requires far more system testing per statement written than any other programming. Theoretically, after each fix one must run the entire batch of test cases previously run against the system, to ensure that it has not been damaged in an obscure way. In practice, such regression testing must indeed approximate this theoretical idea, and it is very costly." -- Fred Brooks, The Mythical Man Month (p 122)

jeroen · on April 9, 2008

Updated for IE7 and FF2 though.

axod · on April 9, 2008

Surely a checklist is missing the whole point.

Don't go through the list checking for each one, treat everything as evil, and only allow through what you know is good.

nostrademons · on April 10, 2008

That's a much better general principle, but oftentimes you have to use third-party software which you're not sure is safe. A checklist gives you a bunch of tests that you can quickly run to see if the developers were paying attention to XSS issues or not. You can decide whether or not to use the library based on the results.

Spez said recently that over half of Reddit's XSS issues were caused by Markdown. It's not unusual for websites to require 3rd-party forums or comment engines or skinning systems, too.

axod · on April 10, 2008

Good point. Relying on other peoples code is horrible. Has to be done sometimes though ;)

dhimes · on April 10, 2008

That's what's great about open source: I can monkey with the security to do custom checks.

redorb · on April 9, 2008

Guess this is in light of Google's App Engine page getting hacked?

morbidkk · on April 10, 2008

despite http://code.google.com/p/google-caja/