Best Practice: User generated HTML cleaning

Question

I\'m coding a WYSIWYG editor width designMode=\"on\" on a iframe. The editor works fine and i store the code as is in the database.

Before outputing the html i need

Answer 1

The best practice is to allow only certain things you know aren't dangerous, and remove/escape all the rest. See the paper Automated Malicious Code Detection and Removal on the Web (OWASP AntiSamy) for a discussion on this (the library is for Java, but the principles apply for any language).