SPF v1.0.5.1 Released

Aug 18, 2009 at 4:45 AM
Edited Aug 19, 2009 at 11:28 PM

SPF v1.0.5.1 has just been pushed up, which includes the following two minor bug fixes. 

1.  There was a weird error involving cross-form form posts where SPF was incorrectly throwing an "Invalid Parameter Name" error.  This issue was accidentally introduced when doing some code cleanup for the open source release. 

2 . There was a null reference being thrown by SPF when the IIS7 Request Filtering module blocks access to a request further down the pipeline.  Thanks to Gareth Heyes for reporting this issue. 

I've also decided to take a white-list approach to HTML encoding SPF error messages similar to that used by the Microsoft Anti-XSS Library.  This wasn't in response to any exploitable issue, but a move for defense in depth in preventing possible XSS vectors down the road.