New Build of CAT.NET (Version - 1.1.1.9) – Please Upgrade

  • Article

 Syed Aslam Basha here from the Information Security Tools team.

There is a new build of CAT.NET Version 1.1.1.9 now available for download on MSDN (32 bit here and 64 bit here). We recommend *ALL* users upgrade to this latest release, a bug fix and minor improvements build. As well as some functional bugs we have updated the Encodings.xml file so that AntiXSS, Httputility, Httpserverutility and IOsec methods (now superseded but still in use) libraries will no longer produce false positives.

In Summary

Library Method Is it part of encodings.xml?
Anti-XSS GetNormalizedHtml Yes
Anti-XSS GetSafeHtml Yes
Anti-XSS GetSafeHtmlFragment Yes
Anti-XSS HtmlAttributeEncode Yes
Anti-XSS HtmlEncode Yes
Anti-XSS JavaScriptEncode No
Anti-XSS UrlEncode Yes
Anti-XSS VisualBasicScriptEncode No
Anti-XSS XmlAttributeEncode NO
Anti-XSS XmlEncode NO
IOSec AsNumeric No
IOSec AsUrl Yes
IOSec EncodeHtml Yes
IOSec EncodeHtmlAttribute NO
IOSec EncodeXml Yes
IOSec EncodeXmlAttribute Yes
IOSec EncodeJs No
IOSec EncodeVbs No
HttpUtility HtmlAttributeEncode Yes
HttpUtility HtmlDecode Yes
HttpUtility HtmlEncode Yes
HttpUtility UrlDecode Yes
HttpUtility UrlDecodeToBytes No
HttpUtility UrlEncode Yes
HttpUtility UrlEncodeToBytes No
HttpUtility UrlEncodeUnicode No
HttpUtility UrlEncodeUnicodeToBytes No
HttpUtility UrlPathEncode Yes
HttpServerUtility HtmlDecode Yes
HttpServerUtility HtmlEncode Yes
HttpServerUtility UrlDecode Yes
HttpServerUtility UrlEncode Yes
HttpServerUtility UrlPathEncode Yes
HttpServerUtility UrlTokenDecode No
HttpServerUtility UrlTokenEncode No

 A full list of changes can be found in the changelog in the new build.

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead