Re: [xml] Libxml2 + XSS Sanitizer?

[Ladar Levison <ladar lavabit com>]

I need the full blown sanitizer. Its a webmail system, so I'll be 
sticking hostile [x]html+js+css into a trusted page. I should get some 
protection by inserting the content into an iframe along with the html5 
sandbox attribute; but I'd like to play it safe and try to remove (or 
comment out) anything potentially hazardous before things even get that 
far. I can remove script tags easily enough, but trying to write code 
that is smart enough to recognize unsafe css and/or pick up on attribute 
level js/css along with possible escaping tricks isn't trivial. Not to 
mention keeping the list would likely require periodic updates as 
technologies change.

In my case I also need to block external content references (like 
images), till the user acks. And with Html5, there are probably a few 
other tags where I'll need to detect external refs and block them.

I've found lots of code to handle this issue in PHP, Ruby, Python, C#, 
heck even Haskell, but nothing in C. And I found it rather surprising 
there wasn't anything close to an example showing how to accomplish the 
above using libxml2.

My hope is that someone else solved this problem already and wouldn't 
mind posting their implementation to the list? <grin />


On 6/1/2011 3:42 PM, Eric S. Eberhard wrote:
> Do you need a full-on sanitizer, or just to do the escaping? Eric
>
>
> At 01:39 PM 6/1/2011, you wrote:
> > Anyone know where I can find an XSS sanitizer written in C and built 
> > atop libxml2? There must 20 different libraries out there, but I 
> > couldn't find any that were in C, and I'd rather not reinvent the wheel.