I’m excited to announce
the June 2012 release of
the Ajax Control Toolkit. You can download
the new release by visiting http://AjaxControlToolkit.CodePlex.com or (better) download
the new release with NuGet:
Install-Package AjaxControlToolkit
The Ajax Control Toolkit continues to be super popular.
The previous release (May 2012) had over 87,000 downloads from CodePlex.com and over 16,000 downloads from NuGet. That’s over 100,000 downloads in less than 2 months.
Security Improvements for
the HtmlEditorExtender
Unfortunately, in
the previous release, we made
the HtmlEditorExtender too secure! We upgraded
the version of
the Microsoft Anti-Cross Site Scripting Library included in
the Ajax Control Toolkit to
the latest version (version 4.2.1) and
the latest version turned out to be way too aggressive about stripping HTML. It not only strips dangerous tags such as <script> tags, it also strips innocent tags such as <b> tags.
When
the latest version of
the Microsoft Anti-Cross Site Scripting Library is used with
the HtmlEditorExtender,
the library strips all rich content from
the HtmlEditorExtender control which defeats
the purpose of using
the control.
Therefore, we had to find a replacement for
the Microsoft Anti-Cross Site Scripting Library. In this release, we’ve created a new HTML sanitizer built on
the HTML Agility Pack. If you were using
the AntiXssSanitizerProvider then you will need to substitute
the HtmlAgilityPackSanitizerProvider. In particular, you need to modify
the sanitizer sections in your Web.config file like this:
<configuration>
<configSections>
<sectionGroup name="system.web">
<section name="sanitizer" requirePermission="false"
type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit" />
</sectionGroup>
</configSections>
<system.web>
<sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider">
<providers>
<add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"></add>
</providers>
</sanitizer>
</system.web>
</configuration>
We made one other backwards-breaking change to improve
the security of
the HtmlEditorExtender. We want to make sure that users don’t accidently use
the HtmlEditorExtender without an HTML sanitizer by accident. Therefore, if you don’t configure a HTML sanitizer provider in
the web.config file then you’ll get
the following error:
If you really want to use
the HtmlEditorExtender without using an HTML sanitizer – for example, you are using
the HtmlEditorExtender for an Intranet application and you trust all of your fellow employees – then you can explicitly indicate that you don’t want to enable HTML sanitization by setting
the EnableSanitization property to false like this:
<ajaxToolkit:HtmlEditorExtender
TargetControlID="txtComments"
EnableSanitization="false"
runat="server" />
Please don’t ever set
the EnableSanitization property to false for a public website. If you disable HTML sanitization then you are making your website an easy target for Cross-Site Scripting attacks.
Lots of Fixes for
the ComboBox Control
In
the latest release, we also made several important bug fixes and feature enhancements to
the ComboBox control. Here’s
the list of issues that we fixed:
22930 — ComboBox doesn’t close its drop down list when losing input focus to another ComboBox control
23140 — ComboBox Issues – Delete, Backspace, Period
23142 — ComboxBox SelectedIndex = -1 does not clear text
24440 — ComboBox postback on enter
25295 — ComboBox problems when container is hidden at page load
25469 — ComboBox – MaxLength ignored
26686 — Backspace and Delete exception when optionList is null
27148 — Combobox breaks if ClientIDMode is static
Fixes to Other Controls
In this release, we also made bug fixes and enhancements to
the UpdatePanelAnimation, Tabs, and Seadragon controls:
21310 — OnUpdated animation starts before OnUpdating has finished
26690 — Seadragon Control’s openTileSource() method doesn’t work (with fix) Title is required
We also fixed an issue with
the Tabs control which would result in an InvalidOperation exception.
Summary
I want to thank
the Superexpert team for
the hard work that they put into this release. In particular, I want to thank them for their effort in researching, building, and writing unit tests for
the HtmlAgilityPack HTML sanitizer.
