User-submitted rich text content security rules

When using rich text editors like TinyMCE, QuillJS and so on for user-submitted content, you may run into a few related security problems - and potentially cause vulnerabilities if you handle them incorrectly.

Web Application Firewall rules

WAFs often have core rules for protecting against XSS. Due to rich text editors usually including a bunch of HTML and CSS, WAFs will often block request bodies containing their output, which will present as a 403 error when submitting an AJAX call to e.g. save a user's inputted information.

HTML sanitization libraries

In order to protect your website from XSS and other attacks, you'll need to pass all rich text content received from users through some form of sanitisation filters. Many will strip out CSS styling on elements, which destroys the WYSIWYG implementation of the editor in question (and can strip out some content as well).

How to solve this: use base64 encoding