Question
Recently I studied a lot related to XSS attacks. I was searching for prevention techniques of XSS attack.
I came across a library called Antisamy, suggested by OWASP. AntiSamy is an HTML, CSS and JavaScript filter for Java that sanitizes user input based on a policy file. AntiSamy is not an HTML, CSS and JavaScript validator. It is merely a way to make sure HTML, CSS and JavaScript input strictly follows rules defined by a policy file
Also I have read about a HTTP response header called Content Security Policy (CSP). It allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources.
So should I use only Antisamy or CSP or using both will be beneficial?
Thank you in advance.
Solution
When it comes to security, the answer is always both/all/everything so long as you have the time.
They are both beneficial in their own right.
I'd argue CSP is more beneficial long term, but I'm highly biased.
EDIT based on completely valid comment
CSP is not supported by all user agents, whereas anti-sammy is user-agent agnostic.
OTHER TIPS
There have been exploits found to AntiSamy in the past and there will probably be in the future as XSS attacks get cleverer (check out this video on mXSS).
It would be advisable to use both. AntiSamy will be effective for browsers that do not support CSP. CSP will be effective for current and future supported browsers.
https://stackoverflow.com/questions/21877918
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian