What if HTMLEditFormat() don’t cut it?
You know of course that you need to HTMLEditFormat() any user input that you intend to display somewhere on your page to avoid racing down the road to XSS hell; to save on processing resources the best time to do this would obviously be before the data goes to your persistance layer (be it some physical file or most likely a database).
If all you want to do is allow your users to store some plain old text, maybe seasoned with some kind of BB-code markup to allow for some limited text formatting, this method is just fine. If that is not enough and you actually need to allow a limited amount of good old HTML, you'll need some more sophisticated sanitizing mechanism to parse out any potentially harmful code elements like JavaScript actions and the like.
ColdFusion-UDF Wrapper for JTidy to clean up HTML
JTidy is a Java port of HTML Tidy, which allows you to clean up messy HTML. This comes in useful when you need to output some Code which has been created by users. I'll show in some later post how to allow users to actually enter HTML without compromising the security of your site, today I'll just show how to clean up this user-generated code. JTidy will not only generate XHTML-valid code from incomplete code by correctly closing opened tags, it will also do a couple of "prettifying" operations to increase quality of the result.