If you use tinymce, does that mean you have to handle the parsing of the HTML on the postback (when saving the data to the db)?
i.e. you have to parse the output and make sure no hacky script was posted back or can you have tinymce convert the html into a safe markup?
Yes, always!!! Just think if they turn off the editor or don't have javascript enabled.
You can't ever rely on the client to make sure that the content it posts to your server is safe.
Its much too easy for a potential attacker to disable those client-side measures and submit any dangerous content that he wants to.
Therefore you will always have to check your content on the server side, no matter what editor you use in the browser.
We use the 'valid elements' check to ensure we only get standard HTML out of the editor. No scripts, no events on tags pasted in (e.g anchor tags with onclick events). Just boring, ordinary HTML.
http://wiki.moxiecode.com/index.php/TinyMCE%3AConfiguration/valid%5Felements