I need to implement a logic where the user sends some content (it can be just a string but also can be part of HTML markup), we store that info to a database, and at some period of time, we replace the base email template placeholder with that data and sending that email.
And there is a chance that data sent by the user can contain some HTML/XSS injections. How can we efficiently validate the data before storing it to the database???
Against XSS injection you can use htmlspecialchars in general, however, we know that you intend to allow HTML to be sent, so your validation will have to check against the presence of <script. If that's present in your input, then you should render it invalid. Now, there is another way of providing Javascript in HTML, that is, inline Javascript, being the values of onclick, onhover and so on. I would advise to make sure that, if such an event handler is present between the < and > of a tag, then simply render the input invalid.
Now, you have also mentioned HTML injection, that is, some HTML is injected which causes undesirable behavior. However, due to the fact that you welcome HTML in the input, distinguishing between "bad HTML injection" and "good HTML injection" can be decided by:
The first criteria is easy to determine, read the link, the second criteria depends on business logic. That HTML might ruin your design, for example, if there are some expectations for it, so you need to lay down the foundations of what you expect in terms of HTML.
And also, since we are speaking about security, make sure you protect your database against SQL injection as well.