Where are all the old releases?

Jan 26, 2012 at 7:22 AM

I just noticed that older versions have been removed from the download page.

I hope that's just an accident - can someone please restore them?


Jan 26, 2012 at 4:09 PM

It's not an accident. As the latest version addresses a security vulnerability the older versions are no longer available.

Jan 27, 2012 at 1:38 PM

Ah. Well, since you have not only fixed vulnerabilities but also made a radical change in design (yes I'm sure that in theory it's for everyone's benefit) that makes the component unusable for stripping content from html WYSIWYG editors, then please reconsider this and restore the 4.0 version which at least is better than no sanitation at all.

It's also good practice for open source projects to keep all releases available at the user's discretion. Professional developers like to decide ourselves whether to shoot our feet or not.



Jan 27, 2012 at 1:39 PM

It's company policy I'm afraid. The source will remain though, so if you desperately wanted you could download and compile your own versions of older releases.

Feb 13, 2012 at 10:01 AM

"so if you desperately wanted" Condesending much?

Let me get this straight... You disclose a vunlerability and announce  that everyone should upgrade to 4.2, but after spending 30 seconds creating a new blank MVC project and testing the new release, it becomes clear that it's all but unusable for anything practical. So we're stuck between staying with the version with a vulnerability and one that broken.

Do you guys actually test your work or just push it out to get beter PR by branding it "Open Source"?

"It's company policy" to refuse to lower a ladder for developers to get out of the hole that you've encouraged them into? We have to build our own ladder from source to get out?

Since we're building our own ladders now, can you at least disclose exactly where the vulnerability is in the source? Maybe we can patch it up and use the "desperately wanted" older version (since 4.2 source is still missing) that actually works... you know like the "real" open source software.

Feb 15, 2012 at 9:38 AM

+1 on eksith

I truly don't understand your behavior here, Barry.


Feb 20, 2012 at 8:32 PM

This sucks. Just for this reason, I'm NOT upgrading to 4.2. Thank goodness for source control.

Feb 23, 2012 at 11:23 AM
Edited Feb 23, 2012 at 11:28 AM

@bdorrrans - I'm attempting to download the older source code, but many versions / commits seem to be missing.  Example: I only see check-ins that say "CTP" or "Beta".  Are these the final versions?  Why don't the dates match what is on MSFTs download site?  If the code was pulled is this known/intended?  Is it administrative error?  Was this a decision to pull that code ... that wasn't communicated.. and therefore leaves your advice out there hanging?

I'm potentially a new AntiXSS user and really don't like this run-around.  Is this the new protocol of what to expect from this project?


I don't mind you following company policy, but the perceived lack of communication (or administrative errors) is not a good sign.  Please tell your team that the whole concept of FOSS is transparency... and company decisions to pull EXEs or source code should be communicated.  If this was done, do tell me where to look for up to date information for your important piece of software.

Feb 23, 2012 at 2:55 PM

@clamont - the beauty of FOSS is that if you don't like the current moderators than you can fork off.

If you manage to find the correct source code matching the released 4.0, then I suggest we create a new CodePlex (or github) project to host the 4.0 baseline. Then we can ask Barry nicely to file bugs corresponding to the vulnerabilities that he claims exist.

Any takers?


Feb 23, 2012 at 3:19 PM

The source branch for 4.0, release, is available - the dates don't ever match due to the way we publish.

The source for 4.2 is not available - it takes a bit of cleaning before publication (we usually have a 1-2 week gap), and as we're working on getting the sanitizer functional again for 4.3 taking the time to publish the 4.2 code would remove effort from tracking down what is going on.

Feb 23, 2012 at 3:57 PM


"the dates don't ever match due to the way we publish"

Please read the Open Source FAQ section titled :

What if I do not want to distribute my program in source code form? Or what if I don't want to distribute it in either source or binary form?

If you don't distribute source code, then what you are distributing cannot meaningfully be called "Open Source". And if you don't distribute at all, then by definition you're not distributing source code, so you're not distributing anything Open Source. 

TL;DR : No 4.2 source = Not Open Source. No past binaries = Not Open Source.
From the moment WPL deleted the past binaries (vulnerabilities be damned) and fell behind on updating the source to match the binary releases it has not been an open source project.

Feb 23, 2012 at 4:46 PM

eksith that steps into legal definitions and is not a conversation I am willing to contribute to. I'm not a lawyer.

Feb 23, 2012 at 4:58 PM

@bdorrans - Thank you for clarifying and posting a link to the 4.0 source.  I was under the impression it wasn't available since the checkin text said Beta or RC (or something to that effect).


@Perb - I personally don't see the need to fork.  The code appears to be there, and @bdorrans is actively addressing our concerns, like a good moderator should.


@eksith I actually like that the most recent source isn't available .. I don't want the recent security vulnerability that public.  IMHO, if you depend on FOSS software, one should download the corresponding code tree for that binary, compile and work from that.  Finally, I hope to hear more constructive criticism from you on this DLL to make it better... and I hope your anti-antixss feelings calms down to a point so I can see your rational contributions more clearly  ;)    

Feb 23, 2012 at 5:12 PM

My rational contribution to this (and an alternative) is on a reply to your other post.

I'm not a lawer either, but I damn well speak English and was somehow able to understand the definition of "Open Source", which this project clearly isn't.

Feb 23, 2012 at 6:07 PM

Thanks eksith... also we should be able to decompile this DLL using reflector or Telerik: http://www.telerik.com/products/decompiler.aspx?utm_source=twitter&utm_medium=sm&utm_campaign=q1

Feb 23, 2012 at 6:22 PM
Edited Feb 23, 2012 at 6:45 PM


Just Google HtmlAgilityPack and Sanitize and you'll get a dozen examples of doing exactly what AntiXss does, but even better, since you actually have the ability to customize the source. Plus, no vunlerabilities.

Thanks to this debacle, this library made itself redundant.

As Ted Dziuba would put it, it doesn't make sense to value "technological purity over gettin' s___ done". If something works, isn't falling apart and is already in use, put it to work instead.

May 14, 2012 at 5:54 PM

For anyone that is desperate for the old binaries, they are included in the AJAX Control Toolkit.

The AJAX Control Toolkit - November 2011 Release - Version 51116 should match the 4.0 binaries.