div contenteditable, XSS

Question

I currently have a simple

working, but, here\'s my problem.

Currently, the user can create a persistent XSS by ins

Answer 1

What about using google caja (a source-to-source translator for securing Javascript-based web content)?

Unless you have xss validation on server side you could apply html_sanitize both to data sent from the user and data received from the server that is to be displayed. In worst case scenario you'll get XSSed content in database that will never be displayed to the user.