In my application, I have rich textbox, and I wonder what is safer to use:
- A bbcode rich textbox with bbcode parser,
or
- A rich textbox with html encoded tags, and validation with Microsoft anti-XSS sanitizer
I think that first approach is a bit harder to implement, because I would need to write a custom bbcode validator/sanitizer.
So, which method would you use, and why?