I've been looking at incorporating a wysiwig editor in my PHP pages like tinyedit or iRite. Something very much like the box I'm entering this message in, it would have the ability to let the user add links, underlines, bold, etc into blog posts and comments.
However, does this necessarily open my users up to cross site scripting? I know just enough about cross site scripting to know that you're supposed to filter out the bad stuff with htmlentities, but if I do that on a message with formatting and links, won't I be killing those links and formatting as well?
What is the best practice?
Thanks in advance