There's no scarcity of WYSIWYG editors, but it seems like there's no simple path to having one and keeping some semblance of protection from bypassing client side validation and including script and object tags.

My initial thought was to find a WYSIWYG editor which would output markdown, then store markdown formatted text in the db and parse on display. This would protect me from storing potentially dangerous code in the db, but also keep me from needing to whitelist every possible tag that the editor would put out as I would need to if it were HTML.

Am I missing some really easy path here? How does everyone else balance having a usable editor but not opening themselves wide open to attacks?