I have a bulletin on my site that all valid users have access to (read and write). User input posted to this bulletin is stored in JSON. Because of these qualities there is definitely some concern for XSS. Im hoping to figure out the best way to protect my app and its users when using this feature.
Validation – because this is a bulletin/message board I would prefer to allow users access to any character they can type. One user might need to say
Boss says "Specials for ages < 12 & > 65 are as follows...". Because of my requirements, validation does not seem possible.
Sansitization – this has the same issues as validation, we would lose functionality.
Encoding – Im fairly new to this and do not know how one might encode user input to make it safe within the DOM (or JSON). If this is the preferred route I am interested in links to documentation or examples.
I am adding to the content by doing something similar to the following; where
obj is the full entry and
message is the user supplied input.
var body = $ ('<p>').text(obj.message);
Because I am only adding user input in the
text context does that mean I can avoid concern?
Lastly, I am newer to using JSON to store user supplied info. I have not been able to find much on JSON security but if you have any topics related to the above, I would appreciate links to documentation.