Should I use JSON econding, JavaScript encoding or both?

Question

I’ve started to work with security of a website and my task is to prevent XSS attack. I’ve seen the OWASP rules to deal with it. However, I am not sure about which of these rules I should use on my specific case. I have the following .jsp file:

<%
    // Get Requests
    InputData data = new InputData(request);
    int idBcomp = data.getInt("bcomp");

    Bcomp bcomp = new Bcomp();
    BcompDao bcompDao = new BcompDaoImpl();

    bcomp.setId(idBcomp);

    JSONObject json = new JSONObject();

    try {

        for (Bcomp s : bcompDao.find(bcomp)) {
            json.accumulate("id", s.getId());
            json.accumulate("nome", s.getNome());
            json.accumulate("nox", s.getNox());
        }

    } catch (SQLException e) {
        json.accumulate("erro", e.getMessage());
    } catch (Exception e) {
        json.accumulate("erro", e.getMessage());
    }

    out.write(json.toString());
%>

I also have the .js file that receives and manipulates the JSON created by the file above. In this file I have the following code:

function import(idBcomp) {
    $.ajax({
        url: 'ajax/bcomp.jsp',
        data: {bcomp: idBcomp}
    }).done(function (r) {
        var obj = $.parseJSON(r);

        $("#nome").val(obj.nome);
        $("#nox").val(obj.nox);
        $("#id_bcomp").val(obj.id);

    });
}

Therefore, my question is: Should I use javascript encode, JSON encode or both? And where should I do the encoding? I am using OWASP XSS API for encodeForJavaScript and JSON encoding

Answer 1

JSON encoding. JSON indicates to the browser that the content is DATA ONLY and should not be executed. JavaScript encoding indicates a potentially executable bundle.