Several people have asked me when the next version of the Microsoft Anti-Cross Site Scripting (XSS) Library (version 1.5) would be released.  There were some delays, and so it should be around the end of June, no guarantees though -- by the way, thanks for all the patience so far!

 

Since the original release of version 1.0 found at this link I've received lots of great feedback and numerous requests for this coming version.  I tried to get everyone's requests into the new implementation, but in any case here's a couple things that you can expect to see in version 1.5:

 

  • More Encoding Methods: Encoding methods for JavaScript, Visual Basic Script, Xml and more will be included to provide even more comprehensive suite for protecting against XSS nasties.
  • Allow Partially Trusted Caller Attribute (APTCA) Support: The new library can be deployed in least privileged scenarios (that's a good thing!).  (You can all thank one of our Security MVPs Dominick Baier for this <g>).
  • A More Consistent Namespace: In order to be more consistent with the .NET Framework namespace, the namespace will be changed to Microsoft.Security.Application.AntiXss.  Users of the old namesspace in V1.0 (Microsoft.Security.Application.AntiXSSLibrary) will not have to change their implementations as support for that namespace will be provided so this change will be transparent for them.

  • Improved Sample Applications and Tutorials: Version 1.0 contained some examples of implementations of the library, however what was missing was pragmatic tutorials on how to implement the library properly.

  • A Clearer End User License Agreement (EULA): The EULA included with V1.0 (I am sure everyone reads their EULAs … <g>) wasn't very clear and caused some confusion.  That will be fixed for V1.5. 

  • Significant Performance Improvements: Thank Lucius Fleuchaus when you can, he's another Microsoft employee!

And much more ... I've also got a couple more interesting tools coming so it should definitely be an interesting 2006.  Keep an eye on the the official Application Consulting & Engineering (ACE) team blog at http://blogs.msdn.com/ace_team/default.aspx for the official release announcement of these tools and many others. 

 

By the way, if you're interested in learning more about XSS attacks, check out these links:

Thanks,

 

--

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team