I'm investigating possibilities to avoid cross-site scripting in an application which allows the user to write HTML code. Instead of saving the user's input as HTML, I'm thinking of encoding it as BBCode (https://www.phpbb.com/community/faq.php?mode=bbcode) and, when it is later requested, decoding it before sending it back to the browser.
I'm quite sure I've seen a Forge module which performs the BB decoding but, after searching for it again and again, I'm not able to find it. Does it really exist? If so, do you know the link?
Not exactly an answer to your question, but in case you aren't aware, the Platform has built-in html sanitization capabilities, starting with version 9.1.300 if I'm not mistaken.
The following screenshot was taken from my Personal environment:
You can allow the user to insert html and rather than convert it, have it sanitized according to these rules.
Hope this helps.