Anti-XSS library from Microsoft VERSUS a Content Security Policy (CSP)

How good is the Anti-XSS library from Microsoft?

In the debates between a Content Security Policy vs. the Anti-XSS library from Microsoft, is there a need for both?

It seem the Anti-XSS library from Microsoft will mitigate a variety of potential XSS attacks. But, where is it lacking?

What aspects of CSP are needed when trying to close all the exposures, that the Anti-XSS library from Microsoft does not close?

newbiewebSr. Software EngineerAsked:
Who is Participating?
btanExec ConsultantCommented:
I will say Anti-XSS provides the basic and CSP gives the bonus. For addressing XSS vulnerability, OWASP can be referenced as preventive rules.
- Anti-XSS primarily provides the encoding function in its libraries. And as it is a library, it is more for coder to built into the application thus making it more robust.
- CSP layers additional checks such as having rule configured to control as a browser side mechanism that allows you to create source whitelists for client side resources of your web application, e.g. JavaScript, CSS, images, etc. CSP via special HTTP header instructs the browser to only execute or render resources from those sources.  

Collectively you can reap the benefits from both against XSS.

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
RULE #7 - Prevent DOM-based XSS
Bonus Rule #1: Use HTTPOnly cookie flag
Bonus Rule #2: Implement Content Security Policy
Bonus Rule #3: Use an Auto-Escaping Template System
Bonus Rule #4: Use the X-XSS-Protection Response Header
newbiewebSr. Software EngineerAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.