Re: [xml] Libxml2 + XSS Sanitizer?

I need the full blown sanitizer. Its a webmail system, so I'll be sticking hostile [x]html+js+css into a trusted page. I should get some protection by inserting the content into an iframe along with the html5 sandbox attribute; but I'd like to play it safe and try to remove (or comment out) anything potentially hazardous before things even get that far. I can remove script tags easily enough, but trying to write code that is smart enough to recognize unsafe css and/or pick up on attribute level js/css along with possible escaping tricks isn't trivial. Not to mention keeping the list would likely require periodic updates as technologies change.

In my case I also need to block external content references (like images), till the user acks. And with Html5, there are probably a few other tags where I'll need to detect external refs and block them.

I've found lots of code to handle this issue in PHP, Ruby, Python, C#, heck even Haskell, but nothing in C. And I found it rather surprising there wasn't anything close to an example showing how to accomplish the above using libxml2.

My hope is that someone else solved this problem already and wouldn't mind posting their implementation to the list? <grin />

On 6/1/2011 3:42 PM, Eric S. Eberhard wrote:
Do you need a full-on sanitizer, or just to do the escaping? Eric

At 01:39 PM 6/1/2011, you wrote:
Anyone know where I can find an XSS sanitizer written in C and built atop libxml2? There must 20 different libraries out there, but I couldn't find any that were in C, and I'd rather not reinvent the wheel.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]