When to sanitize (remove <script> tags) text entered by a user?

I give user a CKEditor to enter some formatted text.

Next (to overcome hackers) I am going to sanitize HTML (remove scripts and like).

Is it OK to store in my DB the text sanitized? (Alternatively I can sanitize the text right before displaying.) This way when the user opens the CKEditor again to make changes in his previously entered text, he may see text somehow changed.

Is it a big problem that the text is changes?

What is the common practice: to store text sanitized or sanitize it before displaying?

Tags: UX Stack Exchange

When to sanitize (remove <script> tags) text entered by a user?

UX in 2018: The human element

Three Takeaways from the Hawai’i Missile False Alarm

UX in 2018: Content

UX in 2018: Design, Development, and Accessibility

The Power and Danger of Persuasive Design

When to sanitize (remove <script> tags) text entered by a user?

Related Posts