I've read the OWASP guidelines regarding preventing XSS. The guidelines seem to only refer to having a whitelist and encoding output. However, this leaves open the problem with so called free text fields e.g. the text box im writing in to make this post.
Are there any preventative measures besides a black list (not desirable) that can be done server side when accepting free text fields.
From the OWASP guidelines i get the impression that xss should just be allowed to be stored in the database and just sanitise it when ever it is displayed to the front end. I am however, a bit uncomfortable with this. Or do i have it wrong, is there a better way?
i get the impression that xss should just be allowed to be stored in the database and just sanitise it when ever it is displayed to the front end
That is correct. Whichever anti-XSS encoding library/function you use to do the encoding will prevent the XSS attempt from working, by preventing the dodgy code being rendered as HTML when it is added to the page output.
You should not attempt to scrub the input before storing it for much the same reason that you do not maintain a black list - it is too easy to get it wrong, and either scrub too much, or not enough. If you are going to attempt to scrub the input, you better know what you are doing.