Add output encoding section to security guide
msecret opened this issue · comments
Marco Segreto commented
In order for 18F developers to have a practical understanding of how to do correct output encoding and understand the risks associated with output encoding, there should be a section in the security guide about it.
It should:
- Include information about XSS attacks
- Either include a link to information about output encoding, or written information.
- The guidance should include practical examples and information on how a team can actually continue this practice on a real team, including tools to use.
- The link should be reviewed by 18F security lead
Marco Segreto commented
This is the best overview guide on how XSS happens: https://excess-xss.com/
Marco Segreto commented
The guidance should focus on front end frameworks, considering that's how most of our code is implemented. We should cover:
- React
- Angular
- Jekyll
- Vanilla JS / Web components