When to sanitize (remove <script> tags) text entered by a user?
I give user a CKEditor to enter some formatted text.
Next (to overcome hackers) I am going to sanitize HTML (remove scripts and like).
Is it OK to store in my DB the text sanitized? (Alternatively I can sanitize the text right before displaying.) This way when the user opens the CKEditor again to make changes in his previously entered text, he may see text somehow changed.
Is it a big problem that the text is changes?
What is the common practice: to store text sanitized or sanitize it before displaying?