I'm in the process of building a small blog system to implement into our clients websites. I have built a simple wysiwyg text editor and everything works fine (almost...), but I store blog posts into a database. The problem is, I don't want malicious script to get into there. Also, if I escape the string, the HTML tags won't be able to format the text at the output (unless I'm unaware of something).
However, only people with accounts will be able to create a blog posts on their website (small business owners). So, if a password is needed to access the text editor, do I need to protect it as much? Do I need HTML Purifier or something? Am I simply on the wrong path of doing it?
Answer is: YES
By not doing that you're actually incentivizing the hacking of your users accounts and putting them at risk. If a hacker gets access to one of those accounts then he can exploit that to compromise all users, which is bad news for you in so many different ways..
Safety shouldn't be an optional feature.
EDIT: answer should actually say "NO" as the question at the top is different from the question in the description.. so, NO, NOT safe to put an unprotected form inside a password protected page.