I am thinking about user-submitted data that I want to save. I currently validate and submit data directly to couch, and when I want to display the data back to users.. I escape it first to avoid xss. Validate on input, escape on output.
My question relates specifically to the step when I save the user-submitted data to couch. Ie - they submit a string.. and I want to save that to a field within a document. Can couchdb accept any arbitrary string for a field within a document? I validate against string length. I have observed that that special characters (quotes, newlines etc) are automatically escaped etc (ie \\n). Couchdb also accepts unicode. Are there any situations where I need to be wary about what type of data I save to a document that may have been submitted by an evil user?
