I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world').
I tested wordpress, which is a very famous blog software. It faces the same problem. example.
It is no big deal if some one embed an alert script. But what if they embed some dangerous code? Have you encountered the same problem? Should I use markdown instead of html? Any good widget for markdown editing?
Don't allow any embedded javascript in your user input. This is easy to clean out either on the client or the server. Have a "white list" of HTML tags you support, and remove any event listener attributes from whatever you do allow.