AntiXSS 4.2 is out.

Coordinator
Jan 10, 2012 at 5:50 PM

Download from http://www.microsoft.com/download/en/details.aspx?id=28589


It is highly recommended you apply this new version as soon as possible.


This release addresses a vulnerability in the HTML Sanitizer, MS12-007 http://technet.microsoft.com/en-us/security/bulletin/ms12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.

Jan 11, 2012 at 12:58 PM

Guys,

Your NuGet package seems broken.

The assembly has original name AntiXSSLibrary40.dll, but you packed it as AntiXSSLibrary.dll.

So it cannot be loaded correctly at runtime.

<Reference Include="AntiXSSLibrary, Version=4.2.0.0, Culture=neutral, PublicKeyToken=d127efab8a9c114f, processorArchitecture=MSIL">
 <SpecificVersion>False</SpecificVersion>
 <HintPath>..\packages\AntiXSS.4.2.0\lib\net40\AntiXSSLibrary.dll</HintPath>
</Reference>
Could not load file or assembly 'AntiXSSLibrary' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
=== Pre-bind state information ===
LOG: User = aaa\xxx
LOG: DisplayName = AntiXSSLibrary
 (Partial)
WRN: Partial binding information was supplied for an assembly:
WRN: Assembly Name: AntiXSSLibrary | Domain ID: 5
WRN: A partial bind occurs when only part of the assembly display name is provided.
WRN: This might result in the binder loading an incorrect assembly.
WRN: It is recommended to provide a fully specified textual identity for the assembly,
WRN: that consists of the simple name, version, culture, and public key token.
WRN: See whitepaper http://go.microsoft.com/fwlink/?LinkId=109270 for more information and common solutions to this issue.
LOG: Appbase = file:///D:/Dev/yyy/
LOG: Initial PrivatePath = D:\Dev\MayMart\BackOfficeWeb\Web\BackOfficeWeb\bin
Calling assembly : (Unknown).
===
LOG: This bind starts in default load context.
LOG: Using application configuration file: D:\Dev\MayMart\BackOfficeWeb\Web\BackOfficeWeb\web.config
LOG: Using host configuration file: C:\Users\Sergey Kostrukov\Documents\IISExpress\config\aspnet.config
LOG: Using machine configuration file from C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config.
LOG: Policy not being applied to reference at this time (private, custom, partial, or location-based assembly bind).
LOG: Attempting download of new URL file:///C:/Users/xxx/AppData/Local/Temp/Temporary ASP.NET Files/root/4ca31618/8a525c0d/AntiXSSLibrary.DLL.
LOG: Attempting download of new URL file:///C:/Users/xxx/AppData/Local/Temp/Temporary ASP.NET Files/root/4ca31618/8a525c0d/AntiXSSLibrary/AntiXSSLibrary.DLL.
LOG: Attempting download of new URL file:///D:/Dev/yyy/bin/AntiXSSLibrary.DLL.
WRN: Comparing the assembly name resulted in the mismatch: NAME
ERR: Failed to complete setup of assembly (hr = 0x80131040). Probing terminated.

If I rename the assembly and corresponding references to AntiXSSLibrary40.dll - it works OK.

Please, fix the NuGet package.

Coordinator
Jan 11, 2012 at 3:29 PM

Ah how strange - nuget is pulled out the original name, rather than the actual name. I'll talk to the nuget guys and see what's going on.

Jan 11, 2012 at 5:40 PM

OK that should do it now, 4.2.1 is available. I'll be updating the MSI as well this morning. Apologies for that, completely my fault.

Jan 13, 2012 at 2:30 PM

The library doesn't play well together with the AjaxControlToolkit. Probably because the AjaxControlToolkit depends on an older version of the HtmlSanitizationLibrary. I get the following compile error:

Could not load file or assembly 'HtmlSanitizationLibrary, Version=4.2.0.0, Culture=neutral, PublicKeyToken=d127efab8a9c114f' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)      

Both packages are installed using NuGet.

Coordinator
Jan 13, 2012 at 4:22 PM

That team is aware and is working on it. Thanks.

Jan 23, 2012 at 11:08 AM

When will the source code be updated to 4.2.1? It's currently at 4.1 beta 1 according to http://wpl.codeplex.com/SourceControl/list/changesets.