Partager via


Cry or Smile? You Decide...

On Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here's an excerpt.

When a customers [sic, you need to learn some simple grammar, Curphey!] development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.

When Mark emailed me I didn't know whether I should laugh or cry. Seriously, I didn't know. I was blown away. With all the knowledge out there about security bugs, someone thought XSS was a valid feature.

Does this mean that all the good work done by so many people for so many years is just wasted effort?

Comments

  • Anonymous
    January 11, 2008
    OMG!!! I'm going now to include that new feature in my websites... because is 2.0, don't?

  • Anonymous
    January 11, 2008
    The comment has been removed

  • Anonymous
    January 11, 2008
    The comment has been removed

  • Anonymous
    January 13, 2008
    Many corporations make every excuse in the book to avoid having to do any work.  If you show them a security bug, they'll say they want a proof of concept or proof of an actual breach or will believe no one is interested in hacking them. It's easier than gaining the expertise or doing anything.

  • Anonymous
    January 13, 2008
    Maybe understandable... "XSS" sounds like the XML version of "CSS", doesn't it?  (whatever that means...:-) But I suspect that the VAST majority of developers out there think of security as someone else's worry -- "it's something Microsoft has to worry about, not me."

  • Anonymous
    January 16, 2008
    The comment has been removed

  • Anonymous
    February 29, 2008
    I have a couple of questions regarding the AntiXSS library. If it is a best practice to use this:

  1. Why isn't this part of the standard .Net framework?
  2. Why doesn't fxCop check for it, and recommend its use? [this blog entry was the first I had heard of it]
  • Anonymous
    March 02, 2008
    Je viens de lire un post qui fait peur sur le blog de Michael Howard , où il parle d'une discussion qu'a

  • Anonymous
    March 04, 2008
    I am just supprised how ignorant some people are. X stands for letter X not cross.  They obviously lack certain inteligence.