Update: Third_Party_Javascript_Management_Cheat_Sheet, DOM_Clobbering_Prevention_Cheat_Sheet, AJAX_Security_Cheat_Sheet, DOM_based_XSS_Prevention_Cheat_Sheet #1140
Comments
tghosth
added
ACK_WAITING
|
Thanks @tghosth for the issue! |
|
I agree with @mackowski. There could be value in having it all unified but if we want more details it's worthwhile to have them separated out so we don't end up with the master one being too long. At some point it's hard to call it a "cheat sheet" when it's too long. Then it's just a reference. |
|
So I hear that but at the same time I think a unified reference for security in a language is a worthy goal. The dotnet cheat sheet is currently about ~1,100 lines and unifying the JS cheat sheet would make it ~1,200 lines so I don't think that is completely out of proportion. Would you like me to proceed. My main goal is to get the Protecting against Prototype Pollution content integrated into the cheatsheets project in a logical way so I don't want to try and start a huge content change exercise. |
|
I think it's worthwhile to have a summary or checklist of main points for each topic in the main cheat sheet, and then link to the individual cheat sheet for more details. What do you think @mackowski @jmanico @kwwall ? |
|
Problem is, how does that solve my main goal:
|
|
Ah, I see. Looking at the existing cheat sheets, they are on the shorter side, so maybe it wouldn't be so bad to combine them... |
|
I just think it would be weird to have a cheatsheet with a lot of detail on parameter pollution and then summaries of a bunch of other topics. Do you have examples of where that has been done elsewhere in the cheatsheets project? |
|
Sorry I'm late to the thread on this; too many other irons in the fire and this kept getting pushed down in my TODO list. My personal preference is that each wiki page should be topic specific, so my preference would be just to create a new separate Prototype Pollution Prevention Cheat Sheet (or whatever you were going to name it) and then, if you wish, create a new JavaScript Security Cheat Sheet that gives a 1 or 2 line summary of all the JS related cheat sheets and a link to each of them. I think the big advantage of that is that it makes search engine results more useful. But hey, that's just my opinion, so take it or leave it. RUN AWAY! RUN AWAY! |
|
PS: the W3C is working on a standard to “lock”
JavaScript on a page so prototype pollution is not possible. It will take •years• but someday this problem will go away.
|
|
Ok so it sounds like consensus is in the direction of creating a new cheatsheet specifically for parameter pollution rather than trying to create one large cheatsheet, correct? |
Yup |
|
Ok merged in #1157 so I will close this |
What is missing or needs to be updated?
There are currently a bunch of different cheat sheets which relate to JavaScript.
I have found so far:
I also have other content which probably is not enough for a cheat sheet on its own but would be good to add to an existing cheatsheet such as:
How should this be resolved?
I think that all these cheat sheets should be unified into a new unified JavaScript Cheat Sheet.
keen to hear your thoughts @manicode @mackowski @kwwall @szh
The text was updated successfully, but these errors were encountered: