I want to create a system that allows users to write articles. Each section of the article would be stored in a database. My concern is XSS and SQL injection, but mostly XSS.
This won't be a public thing, it'd just be for people who I trust to create content. However, I'd rather not leave a gaping hole in my security just because I trust people.
I'm using parameterized queries, so I don't think I have to worry about SQL injection that much, but I'm not sure.
I guess my question is, how far should I go with sanitizing my input and how should I do it?
I came across a very nice article on XSS few months back. Go with the article and you would get an idea how to prevent XSS. http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/
In your case where you want html as an input from the end user, use plugins that will filter the html inputs and then store it in the database. Here is a link how you can do it. http://htmlpurifier.org/
About SQL Injection, if you are using parameterized query then it will take care of it.
If you're using an WYSIWYG HTML editor such as TinyMCE, there are built in functions to strip potentially malicious code, such as
<script> tags and so on, you can check the function that instantiates the editor for detail of banned tags, functions and so on.
Note: TinyMCE should not be used for sanitizing as it is a client-side editor, and sanitizing should only be done server-side.