Our application accepts xml data through our WCF interfaces. This xml data is based on a variety of sources on a client's system, and transformed into a final inbound xml document for our application.
This xml data is then used to generate data in our database and create business objects in our app. Some of this data will be rendered directly on screen to end users of this data.
As we have very little control over the variety of data sources on the client machine, but only on the final inbound xml, there is a potential (albeit small) of someone attempting an XSS attack via our xml structure.
I want to be able to strip out any attributes and / or potential malicious html from the XML document, WITHOUT encoding the entire XML doc.
I figured the antixss component would be a match, but this appears to throw the baby out with the bathwater, as it were, since the entire XML document ends up encoded, rather than just the sections which contain potential XSS attacks.
Any thoughts on how I could accomplish this?