I am creating a webpage where the user can interact and perform basic filesystem operations(create file/dir, delete file/dir, navigate filesystem) on a remote computer. The webpage is basic HTML(UTF-8 encoding) and Javascript. I need to make this webpage XSS proof.
Would escaping all non-alphanumeric chars in user input(to protect against DOM based XSS) and filename info(to protect against stored XSS) using Javascript(this outputs percent-encoded hex values) suffice?
I am essentially whitelisting only the alphanumeric input. Also, since I am using percent encoded hex values, I am assuming the UTF encoding vulnerability should not be present.
Can anyone think of any security loophole in this mechanism?