5

Recently I studied a lot related to XSS attacks. I was searching for prevention techniques of XSS attack.

I came across a library called Antisamy, suggested by OWASP. AntiSamy is an HTML, CSS and JavaScript filter for Java that sanitizes user input based on a policy file. AntiSamy is not an HTML, CSS and JavaScript validator. It is merely a way to make sure HTML, CSS and JavaScript input strictly follows rules defined by a policy file

Also I have read about a HTTP response header called Content Security Policy (CSP). It allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources.

So should I use only Antisamy or CSP or using both will be beneficial?

Thank you in advance.

tiger
  • 653
  • 7
  • 18

2 Answers2

3

When it comes to security, the answer is always both/all/everything so long as you have the time.

They are both beneficial in their own right.

I'd argue CSP is more beneficial long term, but I'm highly biased.

EDIT based on completely valid comment

CSP is not supported by all user agents, whereas anti-sammy is user-agent agnostic.

oreoshake
  • 4,712
  • 1
  • 31
  • 38
  • 2
    Just remember that CSP is part of HTML5 which doesn't exist yet as an official spec. Even after it does, supposedly at the end of 2014, there will be browser versions out in the wild for years that don't support the CSP flag. – LaJmOn Feb 20 '14 at 22:31
1

There have been exploits found to AntiSamy in the past and there will probably be in the future as XSS attacks get cleverer (check out this video on mXSS).

It would be advisable to use both. AntiSamy will be effective for browsers that do not support CSP. CSP will be effective for current and future supported browsers.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145