The downloads section now has the May CTP code only release for the Web Protection Library and a Word document
introducing the new extensibility points for the Security Runtime Engine.
I haven’t released binaries because it’s just a preview,
it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the
source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s
best for our users I wanted to throw out our ideas and thoughts early and give you the change to download, play and comment/rave/rant about what I’ve done and where I want to go with it.
So what’s missing? Well there are no tests – they do exist, but I’m not ready to publish them yet, but they will come. There are no inspectors or logging plug-ins – because I want you to work through the tutorial, then look
through the code, think about how you would use them or write your own rather than use the ones that will come as part of the released WPL as a starting template.
For the next sprint we’ll probably set the SRE to one side and work on all those outstanding AntiXSS encoding bugs (although I did address two – you can now pass a flag to HtmlEncode indicating if you want to
use named entities and the sanitization bits have been moved to their own assembly - which means the encoding libraries will work in medium trust again). We'll also take a look at what we can do with the HTML sanitization to try to get it to meet your needs.
This sprint will probably see the start of a rewrite of how encoding works in order to make it more maintainable as we move forward, however this obvious needs to be done carefully and code reviewed to make sure I don’t open any security holes. The sprint
after that will be gathering your feedback and looking at any changes we need to make to the SRE because of it, then I aim to deliver a beta and after that a full blown binary release.
So please have a play and do leave feedback or bug reports for us.