<p>"Failure to Avoid Web 2.0" is one of CWE/SANS new highly respected, well-put together, professional, only "half plagiarized Top 25 Coding Errors." Everyone tries to avoid XSS (aka Web 2.0) in their own terrible way - being overly restrictive with input validation, performing total output encoding, building a blacklist, or utilizing hope and prayer. These approaches all either suck for business or suck for security.</p><p>AntiSamy uses a positive model for translating horribly broken, unsafe, malicious rich content from users and turning it into safe content without fearing of exposing its users to malicious code. Think of it as "a NoScript" API for web developers. We invite you to take a look at our approach, our rules, the history, and some interesting attacks we learned along the way.</p>
Arshan Dabirsiaghi is the Director of Research of <a href="http://www.aspectsecurity.com/">Aspect Security</a>, a company that specializes in application security services. He contributes to many OWASP groups and, not surprisingly, voted for Nader.</p> Arshan just left PR hack on AOL yesterday and is trying to figure out why alert(document.cookie) is so interesting. He spends most of his work time abusing web applications, teaching classes all over the world and doing research into next generation web application attacks and defenses. He also feels weird about doing the only defensive talk at ShmooCon 2009 and promises to be more offensive than George Carlin next time he comes back.</p>
Jason Li is a Senior Application Security Engineer at Aspect Security. He serves on the OWASP Global Projects and Tools Committee and also contributes to a number of OWASP projects. He spends most of his time either ballroom dancing or keeping Arshan from destroying the world.</p>