I am looking at starting a hosted CMS-like service for customers.
As it would, it would require the customer to input text which would be served up to anyone that comes to visit their site. I am planning on using Markdown, possibly in combination with WMD (the live markdown preview that SO uses) for the big blocks of text.
Now, should I be sanitizing their input for html? Given that there would only be a handful of people editing their ‘CMS’, all paying customers, should i be stripping out the bad HTML, or should I just let them run wild? After all, it is their ‘site’
Edit: The main reason as to why I would do it is to let them use their own javascript, and have their own css and divs and what not for the output
Why wouldn’t you sanitize the input?
If you don’t, you’re inviting calamity – to either your customer or yourself or both.