Originally Posted by sbhmf
I suppose one issue under discussion is whether or not encoding the HTML on the client prior to uploading it is sufficient to inhibit scripting attacks
NEVER encode HTML when it is input - that would make it unusable for any purpose other than displaying in an HTML page. The time to encode HTML is when actually adding it to an HTML web page that you want to display it.
For example: You would save the < characters as < in the database and only convert them to < when outputting HTML.