The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
Looking at the Entity Framework 5 release, it has some nifty features I'd like to take advantage of (e.g., automatic query compilation, proper lookups of indexed varchar columns). However, many of those features will not work unless you have .Net 4.5, and we have .Net 4.
So, we just need to install .Net 4.5. However, .Net 4.5 doesn't work on Windows Server 2003, which is what our development server is on. So, we need to upgrade Windows.
And once we upgrade Windows, .Net, and Entity Framework, there are still some features we can't take advantage of (e.g., table-valued parameters), because we are on SQL Server 2005. We were supposed to upgrade to 2008 months ago, but it never happened. So, that will need to be kick-started too.
This could take a while to get all these ducks in a row...
Funny thing is we already have licenses. We just need the personnel to perform the upgrades. I'm just a web monkey; they don't (usually) let me install stuff on the servers. They already have plenty of DBA's, software engineers, and license managers to avoid installs as long as possible.
Its not .NET's fault, its actually a XSS attack, that the tool is testing for. What the tool is saying, is that you should validate the input before that URL has a chance to be generated. You can cause a lot of problem for your users if you have XSS vulnerabilities, its what virus writers use to spread the virus over the internet.
You should raise this as a serious bug with the original developers.
Red-Siren testing is something I implemented at several Fortune 500 companies and many smaller companies.
It's testing that seeks to reveal critical security issues in an OS, system, web app, application, or the occasional contract developer that picks their nose and doesn't <ahem> dispose of the content upon their finger but continues typing ... all of which, when discovered, a "red-siren" type warning (akin to an actual red emergency light and siren on an emergency vehicle) is generated.