I was reading web security stuffs and found that user can inject malicious codes mostly JS in forms. Now, What about CKFinder/TinyMCE et al? They obviously produce html and any stripping will destroy the article formatting. bad enough they have a "code mode" where user can enter html directly.
Suppose my system is compromised (which is security thinking), what guards can I put to ensure minimum damage?