A new source drop is available.

May 27, 2010 at 6:13 PM

The downloads section now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine.

I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users I wanted to throw out our ideas and thoughts early and give you the change to download, play and comment/rave/rant about what I’ve done and where I want to go with it.

So what’s missing? Well there are no tests – they do exist, but I’m not ready to publish them yet, but they will come. There are no inspectors or logging plug-ins – because I want you to work through the tutorial, then look through the code, think about how you would use them or write your own rather than use the ones that will come as part of the released WPL as a starting template.

For the next sprint we’ll probably set the SRE to one side and work on all those outstanding AntiXSS encoding bugs (although I did address two – you can now pass a flag to HtmlEncode indicating if you want to use named entities and the sanitization bits have been moved to their own assembly - which means the encoding libraries will work in medium trust again). We'll also take a look at what we can do with the HTML sanitization to try to get it to meet your needs. This sprint will probably see the start of a rewrite of how encoding works in order to make it more maintainable as we move forward, however this obvious needs to be done carefully and code reviewed to make sure I don’t open any security holes. The sprint after that will be gathering your feedback and looking at any changes we need to make to the SRE because of it, then I aim to deliver a beta and after that a full blown binary release.

So please have a play and do leave feedback or bug reports for us.


Aug 4, 2010 at 3:08 PM

Really looking forward to these medium trust updates...

Is there a target date of availability?

Aug 4, 2010 at 3:39 PM
Edited Aug 4, 2010 at 3:41 PM
The next drop will probably have a binary installer, as well as the source code available, but will still be considered a beta. Once I've collated any feedback on it there will be another update to spread the new encoding mechanisms to all the encoding methods, not just *MLEncode. After that some work we're doing around vulnerabilities will be pushed into the example WPL Plugins, some more testing of the new encoding plugin architecture and then hopefully we're done, and I can call it a release. The next version will require .NET 3.5 - a change we don't view as too painful for anyone, but one that makes it far easier to maintain and enhance. But there are no timescales, as we're also working on other internal tools, so the plugins will be worked on as and when there are gaps in my workload. If you want medium trust then please download the latest source and compile it - that has removed the parts that require full trust into a separate assembly, so the AntiXSS library is now, once again, suitable for medium trust environments.