|
|
|
|
|
|
by billyhoffman
3756 days ago
|
|
|
Slick and a nice UI, but the security advice in this is just plain terrible. Blacklist input validation as defense against XSS? Are you kidding me? And then over to session fixation, where I see the exact same ?jessionid=blah example that has been in any Web Security book for the last 10-15 years? Come on! |
|
|
Where are you seeing that? The advice I can see talks about escaping HTML rather than blacklisting input validation: https://www.hacksplaining.com/prevention/xss-stored
Unfortunately it doesn't discuss escaping Javascript nor CSS. But it least it covers the most common case.