I'm using the TinyMCE editor which will allow my users to enter text which will then be saved under their user id and printed back to the screen on one of their personal pages. TinyMCE converts something like this:

<script type="text/javscript">Hello!</script>

to this:

<p>&lt;script type="text/javscript"&gt;Hello!&lt;/script&gt;</p>

In other words, I don't need to use htmlentities to sanitize the input (though I do quote it before putting it in my database). The problem is that TinyMCE doesn't work on, for example, the ipad. If a user goes to my site on the ipad and enters text then it will enter my database as:

<script type="text/javscript">Hello!</script>

if I don't sanitize it.

I know that this is "bad" because a potentially malicious script could be entered. However, if the resulting text is printed on a user-specific page then do I have anything to worry about? In other words, if "bad user" is the only one who has access to the page with the "bad script"...is this a security leak?

If it is, could someone please explain to me exactly what the possible issues are?

Thanks so much,