As you are not using HTL or AEM JQuery, which has token for XSS, not sure what you can do. You can look at trying to implement some sort of blacklist which would specify locations that would not be allowed. So if an author references a prohibited area, the request should be blocked. This is a custom featutre as AEM does not support ootb.