|
js performance is not a concern for this application, they will both encode a poem in less than a milisecond on an iphone3...
BUT, simply replacing the angles and quotes is nowhere near enough scrubbing!
depending on the xsl used, you could end up duplicating any/all tags and attribs submitted by the uploader. many of these are vectors: onmouseover for example. also, these chars can be escaped in myriad ways. i've seen attacks in some contexts that use nothing but digits. there's octal and utf encoding, malformed tags, all sorts of goodies. check the "xss cheatsheet" for details.
your editing setup sounds safe, but your view setup sounds open to xss attacks, even if you XML escape the quotes and angle brackets.
i recommend a char whitelist, [\w\s\-$=,.!?'"()@%+], or something like that. remove anything not needed for your app and force plain-ascii formatting. this can be just plain text of markdown or bbcode, but not HTML. you turn the low-level markup into pretty HTML at the last second on the client...
make sure you parse the XML BEFORE you scrub it to defeat tricky escape routines.
this should all be done before any HTML is set or it's fed to XSL.
__________________
my site (updated 5/13)
STATS (2013/5) HTML5:90.2% MOB:14% IE7:0.5% IE8:8.8% IE9:11.4% IE10:6.5%
|