Web Protection Library
Web Protection Library
As I’m almost done the AntiXSS 4.0 release notes have been finalised; Minimum Requirements .NET Framework 3.5 Return Values If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty. Medium Trust Support The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and...
The Information Security Tools Team at Microsoft is hiring. Oh yes, your dream could come true, you could work with me … We have an opening for a Senior SDE to help us develop software to support Microsoft’s information security program, analysing everyone else’s software for potential flaws and helping mitigate, manage and analyse. Mad SQL and OLAP skillz will put you at the top of the queue. You can either apply though the link above, or email me your résumé/CV to my work email, bdorrans@microsoft.com (which has until now been spam free *sigh*. I promise not to...
When I started off discussing where I would take the Security Runtime Engine with the Developer Security MVPs Raffaele Rialdi asked if there would be a way to inspect raw requests and responses. Whilst I can’t do requests, as I don’t see them until ASP.NET has parsed them I can do responses, via ASP.NET’s filter mechanisms so, despite him tagging someone else as me on Facebook I started to look at how best to do this and came up with IResponseInspector. The response inspector works slightly differently to the other inspectors – by the time it’s called there is no...
The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine. I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users...
(And yes, I did mean PlugIns – darned FXCop rules) After a couple of weeks of experimentation with code I think I have the plug-in model complete now. As suggested by Travis in the comments on a previous post as many parameters as possible are now using System.Web.Abstractions. Right now there are three main interfaces: /// <summary>
/// Defines methods that must be implemented for request inspection.
/// </summary>
public interface IRequestInspector : ISecurityRuntimePlugIn
{
/// <summary>
/// Inspects an HTTP request for potential problems.
/// </summary>
/// <param name="request">The...
So now our fit and finish sprint is finished (my PM, Frank, has published the results which demonstrate that, well, fit and finish is never, errr, finished) I’ve been doing some thinking and experimenting. Two things came out of the MVP summit this year, 1) we want logging which isn’t the Enterprise Library and 2) we want to write our own WPL plugins (more specifically a particular Developer Security MVP wanted to write a SQL Injection detector for MySQL). This week was scheduled to be a lazy week, as we work around planning meetings for sprint 2 so I...
Phil Haack has just blogged how to write an encoding provider for ASP.NET 4.0 which uses AntiXSS. He beat me to it – one of the reasons I’ve switched WPL to VS2010 is so I can include an assembly which does this in the next public release. Encoding providers will work for both ASP.NET 4.0 WebForms and MVC applications, but the HttpEncoder class only encodes HTML, HTML attributes, HTTP headers and URL and URL paths. If you’re using the JavaScript encoding bits you’ll still have to do that manually. The decoding functionality will be based down to the .NET framework...