Anti-XSS library from Microsoft VERSUS a Content Security Policy (CSP)

How good is the Anti-XSS library from Microsoft?

In the debates between a Content Security Policy vs. the Anti-XSS library from Microsoft, is there a need for both?

It seem the Anti-XSS library from Microsoft will mitigate a variety of potential XSS attacks. But, where is it lacking?

What aspects of CSP are needed when trying to close all the exposures, that the Anti-XSS library from Microsoft does not close?

newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I will say Anti-XSS provides the basic and CSP gives the bonus. For addressing XSS vulnerability, OWASP can be referenced as preventive rules.
- Anti-XSS primarily provides the encoding function in its libraries. And as it is a library, it is more for coder to built into the application thus making it more robust.
- CSP layers additional checks such as having rule configured to control as a browser side mechanism that allows you to create source whitelists for client side resources of your web application, e.g. JavaScript, CSS, images, etc. CSP via special HTTP header instructs the browser to only execute or render resources from those sources.  

Collectively you can reap the benefits from both against XSS.

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
RULE #7 - Prevent DOM-based XSS
Bonus Rule #1: Use HTTPOnly cookie flag
Bonus Rule #2: Implement Content Security Policy
Bonus Rule #3: Use an Auto-Escaping Template System
Bonus Rule #4: Use the X-XSS-Protection Response Header

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.