Textarea Validation

[eluser]Jim Higgins[/eluser]
Hi, I'm debating what characters and rules I should set for a textarea field validation on a form. I'm thinking letters, numbers, dashes, and some very basic punctuation (comma, period, exclamation point, apostrophe). I'm wondering what others think is a good set of allowable characters and what additional measures one might take to ensure any submission is safe.

The textarea will allow a user to describe an item for sale so, not only will their input go into the database, but it will also be displayed on screen for users to read. There will not be any links or images in the description field... just a paragraph.

I run XSS clean on the input, limit it to 600 characters, and escape the output. Anything I'm missing?

Thanks in advance.

[eluser]xwero[/eluser]
If you escape the output you can let the user add any character they want. Why should you limit the characters? They all can be used in a legitimate way otherwise they wouldn't be in a language. It's up to the application to spot (possible) illegal use.

[eluser]Jim Higgins[/eluser]
So running xss clean on the input and escaping the output is enough to be secure?

[eluser]xwero[/eluser]
it should be, i can't think of a way attacks get trough 3 security measures (escaping input for sql in between xss and escaping output)

You can prevent users from inputing certain characters but i think you get a lot of why-is-that-not-possible emails. The limiting you suggested doesn't allow the user to add a currency symbol.