wpl Releases Rss Feed

Updated Release: AntiXSS Library v4.2.1 (Jan 10, 2012)

bdorrans — Wed, 11 Jan 2012 21:56:59 GMT

Download from http://www.microsoft.com/download/en/details.aspx?id=28589

It is highly recommended you apply this new version as soon as possible.

If you downloaded v4.2 you may see an error due to filename changes - this has been fixed. Please install v4.2.1.

This release addresses a vulnerability in the HTML Sanitizer, MS12-007 http://technet.microsoft.com/en-us/security/bulletin/ms12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.

The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.

In addition to the change necessary to correct the vulnerability there are a few new features;

Minimum Requirements.

You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

Invalid Unicode no longer throws an exception.

Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

UrlPathEncode added.

The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

.NET 4.0 encoder support.

There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Released: AntiXSS Library v4.2.1 (Jan 10, 2012)

Wed, 11 Jan 2012 21:56:58 GMT

Download from http://www.microsoft.com/download/en/details.aspx?id=28589

It is highly recommended you apply this new version as soon as possible.

Minimum Requirements.

You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

Invalid Unicode no longer throws an exception.

Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

UrlPathEncode added.

The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

.NET 4.0 encoder support.

There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Updated Release: AntiXSS Library v4.2 (Jan 10, 2012)

bdorrans — Tue, 10 Jan 2012 17:59:53 GMT

Download from http://www.microsoft.com/download/en/details.aspx?id=28589

It is highly recommended you apply this new version as soon as possible.

This release addresses a vulnerability in the HTML Sanitizer, MS12-007 http://technet.microsoft.com/en-us/security/bulletin/ms12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.

The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.

In addition to the change necessary to correct the vulnerability there are a few new features;

Minimum Requirements.

You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

Invalid Unicode no longer throws an exception.

Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

UrlPathEncode added.

The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

.NET 4.0 encoder support.

There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Released: AntiXSS Library v4.2 (Jan 10, 2012)

Tue, 10 Jan 2012 17:59:53 GMT

Download from http://www.microsoft.com/download/en/details.aspx?id=28589

It is highly recommended you apply this new version as soon as possible.

Minimum Requirements.

You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

Invalid Unicode no longer throws an exception.

Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

UrlPathEncode added.

The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

.NET 4.0 encoder support.

There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Created Release: AntiXSS 4.1

bdorrans — Wed, 20 Apr 2011 14:08:49 GMT

What's new in AntiXSS 4.1

Minimum Requirements

.NET Framework 3.5

Encoder changes

A race condition in the encoders has been fixed. Previously it was possible to use some encoders before the safe list processing had completed, which meant safe characters would end up encoded rather than left alone.
UrlPathEncode has been added. This will encode unsafe characters in a URL path. It only supports ASCII paths - any characters outside of the ASCII range will be converted to their UTF8 byte values and encoded as two or more hex characters.

.NET 4.0 Support

AntiXSS exceptions are serializable as .NET 4.0 provides medium trust safe serialization.
There is now official support for swaping out the ASP.NET encoders and replacing them with AntiXSS using

Created Release: AntiXSS Library V4.0

bdorrans — Tue, 21 Sep 2010 16:30:27 GMT

What's new in AntiXSS 4.0

Return Values

If you pass a null as the value to be encoding to an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.
It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an
InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character. For example

Encoder.LdapFilterEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

Updated Release: Web Protection Library 4.0 May CTP

bdorrans — Mon, 03 May 2010 20:08:53 GMT

This version of the Web Protection Library includes

AntiXSS - A new Anti-Cross Site Scripting Library removes some bugs and is now usuable in medium trust environments.
HtmlSanitization - The HTML Sanitization Library has been moved to its own assembly, but still requires a full trust environment.
SRE - The SRE has been largely rewritten to provide a plug-in model using the Managed Extensibility Framework.
- New mitigating inspectors for Click Jacking, Cookie Protection and NoOpen headers have been added.
- Logging is now provided by plug-ins. An example ASP.NET trace logger is included as an example project. The removal of logging implementation from the SRE means there is no longer a dependancy on the Enterprise Library.
A standard class to replace the .NET 4.0 Encoding with AntiXSS encoding is included as a new project.

This release will not be produced as a binary download, rather you are encouraged to download the source and build your own WPL plug-ins or ensure that AntiXSS works in your environment. The source is now built using Visual Studio 2010 and you will require a version of VS2010 to compile the solution. VS2008 users should be able to load the individual projects, excluding the new .NET 4.0 encoding project.

As ever please log any issues so we can take them onboard during our next sprint planning.

Updated Release: Anti-XSS Library v3.1 (Sep 15, 2009)

anilkr — Tue, 15 Sep 2009 16:55:57 GMT

We are excited to announce the RTM version of Anti-XSS Library v3.1. This binary distribution is availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Released: Anti-XSS Library v3.1 (Sep 15, 2009)

Tue, 15 Sep 2009 16:55:57 GMT

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 (Dec 09, 2008)

anilkr — Wed, 15 Jul 2009 15:19:34 GMT

We are excited to announce the RTM version of Anti-XSS Library v3.0. This binary distribution is availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Released: Anti-XSS Library v3.0 (Dec 09, 2008)

Wed, 15 Jul 2009 15:19:34 GMT

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 (Dec 09, 2008)

anilkr — Wed, 15 Jul 2009 15:19:10 GMT

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

anilkr — Wed, 07 Jan 2009 17:09:40 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0. This binary distribution is availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Released: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

Wed, 07 Jan 2009 17:09:40 GMT

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

anilkr — Wed, 07 Jan 2009 17:09:09 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0. This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

anilkr — Wed, 07 Jan 2009 17:04:02 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en.

Updated Release: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

anilkr — Wed, 07 Jan 2009 17:03:18 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on MSDN.

Reviewed: Anti-XSS Library v3.0 Beta (Dec 23, 2008)

dblack — Tue, 23 Dec 2008 16:37:21 GMT

Rated 5 Stars (out of 5) - The Security Runtime Engine (SRE) HTTP Module will save me countless hours of adding/maintaining all of the places in code where you would normally use HtmlEncode(), UrlEncode(), JavaScriptEncode(), etc. Thank you!

Updated Release: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

degroves — Tue, 16 Dec 2008 01:03:26 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on MSDN.

Released: Anti-XSS Library v3.0 Beta (Dec 09, 2008)

Tue, 16 Dec 2008 01:03:26 GMT

We are excited to announce the beta version of Anti-XSS Library v3.0.

What’s New in This Release

New features in this version of the Anti-Cross Site Scripting Library include:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Release Details

This binary distribution is also availible on MSDN.