I am processing a user input from the public with a javascript WYSIWYG editor and I'm planning on using htmlpurifier to cleanse the text.
I thought it would be enough to use htmlpurifier on the input, stored the cleaned input in the database,and then output it without further escaping/filtering. But I've heard other opinions that you should always escape the output.
Can someone explain why I should need to clean the output if I'm already cleaning the input?
I assume your WYSIWYG editor generates HTML, which is then validated and put in the database. In that case, the validation already took place, so there is no need to validate twice.
As to "escaping output", that's a different matter. You cannot escape the resulting HTML, otherwise you won't have formatted text, and the tags will be visible. Escaping the output is used when you do not want said output to interfere with the markup of the page.
I'd add you have to be very careful with what you allow in your validation phase. You will probably only want to allow a few HTML tags and attributes.