Microsoft Anti-Cross Site Scripting Library V1.5 is Released!

Hello,

 

I wanted to announce that today the ACE and the ASP.NET team released V1.5 of the Anti-Cross Site Scripting Library at https://msdn2.microsoft.com/en-us/security/aa973814.aspx. This library is essentially the same library that we used to call IOSec (whose name is retiring so we can converge on a single name) and we’re excited about finally being able to provide you with tools like these to develop more secure applications!

 

Top 5 Reasons Why You Should Upgrade

Migrating to V1.5 will require a few steps on your part, but here are the top reasons why you should upgrade to this version:

  • Reason #1 - More Encoding Methods: Encoding methods for JavaScript, Visual Basic Script, XML and more will be included to provide even more protection against XSS attacks.

Encoding Method

Version 1.0

Version 1.5

HtmlEncode

X

X

HtmlAttributeEncode

X

UrlEncode

X

X

JavaScriptEncode

X

VisualBasicScriptEncode

X

XmlEncode

X

XmlAttributeEncode

X

  • Reason #2 - Allow Partially Trusted Caller Attribute (APTCA) Support: The new library can be deployed in least privileged scenarios (that's a good thing!). There are certainly ways APTCA can be abused when not implemented properly so we’ve taken steps to limit that possibility such as using things like the SecurityTransparent (2.0 only), RequestMinimum and RequestOptional attributes.
  • Reason #3 - Improved Documentation, Sample Applications and Tutorials: Version 1.0 contained some examples of implementations of the library ; however what was missing was pragmatic tutorials on how to implement the library properly. Along side this release you’ll find a tutorial on how to implement the library, along with a simple technique for determining if data requires encoding or not at https://msdn2.microsoft.com/en-us/library/aa973813.aspx (we already know about the image rendering issue and it's getting fixed =P). Finally you’ll notice that the documentation for V1.5 has also been significantly improved.
  • Reason #4 - A Much Clearer and Flexible End User License Agreement (EULA): The EULA included with V1.0 was confusing and did not allow the library to be deployed in production environments. V1.5’s EULA is much clearer and provides the ability to deploy into production environments.
  • Reason #5 – Easy Upgrade Path for V1.0 Users:   Users developing on top of the V1.0 release can easily migrate to V1.5. The old namespace used in V1.0 is supported in V1.5 and so V1.0 users should find migration relatively transparent.

What’s Next?

Already people are asking this! In later versions we’ll look towards providing you with automatically encoding Web controls, intelligent filtering capabilities and much more. And of course, the ACE team will continue releasing other security tools (new versions of TAM, and others …) so keep visiting this blog for updates!

 

Thanks and enjoy this release!

 

Kevin Lam, CISSP | Senior Security Technologist | ACE Security ServicesTeam 
 
Assessing Network Security Book - https://www.microsoft.com/MSPress/books/6788.asp
Kevin Lam's Blog - https://blogs.msdn.com/kevinlam/default.aspx