Escaping rich text editor output

The Content-Security Policy or CSP allows you to create a page of user controlled HTML that does not execute JavaScript, and therefore not XSS.

This is telling the browser not to execute JavaScript, which is a lot stronger than filtering the output, and using both will improve security. HTML filtering libraries such as HTMLPurifer, antisammy, safehtml, have all had numerous bypasses and therefore should not be used as the only means of defense. These are very complex filters, and complexity is the worst enemy of security.