Help securing POST !

couple of options

1. Limit number of tags and strip off the rest (then encode string in case some entities made its way)
2. Use HTML Purifier (google it)
3. Use Markup language

Always validate your inputs

I don't get 1,3, can you explain ?

If you strip tags, then you can't store html, script etc - although you can whitelist some specific ones, e.g. <b>, <i>, well whatever you want.

Have you considered using something like DISQUS? This takes the heat out of storing / processing comments on your own server. It's free, it's got a huge user base and it's a system therefore that many would be familiar with and could use without a lengthy login/sign-up process.

However, you may want to moderate comments, so you'd have to get into the guts of it, but definitely receommended (by me!).

BTW - html editor not necessary - well don't use it. The more complicated you make things with all these add-ons the more of an issue it is to keep things secure. A html editor (even proven ones like TinyMCE and CKEditor) may suffer from security holes. Unless you keep abreast of developments, you may not be aware that you may need to apply a security patch etc. As these editor inputs are stored on your server, you are more open to problems, compared to a DISQUS type implementation. I am not really pitting one against the other, as both approaches have slightly different uses and both have their pros and cons.