Syed Aslam Basha here…..I am a tester on the Information Security Tools team.

There is a new build of CAT.NET Version 1.1.1.9 now available for download on MSDN (32 bit here and 64 bit here). We recommend *ALL* users upgrade to this latest release, a bug fix and minor improvements build. As well as some functional bugs we have updated the Encodings.xml file so that AntiXSS, Httputility, Httpserverutility and IOsec methods (now superseded but still in use) libraries will no longer produce false positives.

In Summary

Library

Method

Is it part of encodings.xml?

Anti-XSS

GetNormalizedHtml

Yes

Anti-XSS

GetSafeHtml

Yes

Anti-XSS

GetSafeHtmlFragment

Yes

Anti-XSS

HtmlAttributeEncode

Yes

Anti-XSS

HtmlEncode

Yes

Anti-XSS

JavaScriptEncode

No

Anti-XSS

UrlEncode

Yes

Anti-XSS

VisualBasicScriptEncode

No

Anti-XSS

XmlAttributeEncode

NO

Anti-XSS

XmlEncode

NO

IOSec

AsNumeric

No

IOSec

AsUrl

Yes

IOSec

EncodeHtml

Yes

IOSec

EncodeHtmlAttribute

NO

IOSec

EncodeXml

Yes

IOSec

EncodeXmlAttribute

Yes

IOSec

EncodeJs

No

IOSec

EncodeVbs

No

HttpUtility

HtmlAttributeEncode

Yes

HttpUtility

HtmlDecode

Yes

HttpUtility

HtmlEncode

Yes

HttpUtility

UrlDecode

Yes

HttpUtility

UrlDecodeToBytes

No

HttpUtility

UrlEncode

Yes

HttpUtility

UrlEncodeToBytes

No

HttpUtility

UrlEncodeUnicode

No

HttpUtility

UrlEncodeUnicodeToBytes

No

HttpUtility

UrlPathEncode

Yes

HttpServerUtility

HtmlDecode

Yes

HttpServerUtility

HtmlEncode

Yes

HttpServerUtility

UrlDecode

Yes

HttpServerUtility

UrlEncode

Yes

HttpServerUtility

UrlPathEncode

Yes

HttpServerUtility

UrlTokenDecode

No

HttpServerUtility

UrlTokenEncode

No

A full list of changes can be found in the changelog in the new build.

- Syed