What if HTMLEditFormat() don’t cut it?
Jun/090
You know of course that you need to HTMLEditFormat() any user input that you intend to display somewhere on your page to avoid racing down the road to XSS hell; to save on processing resources the best time to do this would obviously be before the data goes to your persistance layer (be it some physical file or most likely a database).
If all you want to do is allow your users to store some plain old text, maybe seasoned with some kind of BB-code markup to allow for some limited text formatting, this method is just fine. If that is not enough and you actually need to allow a limited amount of good old HTML, you’ll need some more sophisticated sanitizing mechanism to parse out any potentially harmful code elements like JavaScript actions and the like.