Though what and where to insert. JSON itself is transport — if the user in the comments hammered XSS, it honestly will be transferred via json seascape and all, but as soon as it as a piece of html inserted into the page text, then he will bite.
\r
Again, if you return the form filled in by the user, and it is back — Yes health even though what sticks. But in public — not good.