What is encoding?

Feb 25, 2009 at 10:49 AM
Hi,

I created the following blog post when preparing for a couple of talks on encoding data using AntiXSS and the SRE:
http://pageofwords.com/blog/2009/02/25/WhatIsEncodingCrossSiteScriptingAndTheAntiXSSEncodingMethods.aspx

I would appreciate any feedback or comments here or on that post.

Cheers,

Kirk

Feb 25, 2009 at 11:57 AM

Hi Kirk-

 

Dennis Groves here, the Project Manager of AntiXSS. It is a great post and thank you for the shout out... 

It is interesting to note that data input validation aka “trust no-one”; in not just a web application mantra; but should be the mantra of all developers. As you can read here <
http://cm.bell-labs.com/who/ken/trust.html> in 1984, Ken Thompson correctly identified this as an issue for all developers. This is the genuine state of security – 15 years later, and data input validation remains the most prevalent issue in developing secure software. If we could as a security industry get developers to just validate input – “ie trust no-one”; I fully believe that 80% of all security issues would immediately go-away.

 

Cheers,

 

-Dennis

Mar 6, 2009 at 3:06 AM
Hi Kirk,

Excellent blog on the issues of XSS. Have passed it onto our developers to have a read to understand the problem.

Thanks
Myles.