I wouldn't present users with raw HTML in any case. Either give them a rich text editor like CKEditor or give them something like Markdown, Textile, etc. Even light abstractions like Markdown are a little tough for non-tech users, though - many still expect a word-processor-like experience (even though most word processors are awful, people still want that relatively-familiar WYSIWYG UI).
So for usability:
Regardless of the solution you choose, security will depend on how well you sanitise the data on the server side. You have to assume that your attacker is messing with your app in every possible way on the client side.
Think of client-side as doing input assistance while the server side does input sanitation. The client side helps enter the right stuff, the server makes sure they didn't enter anything dangerous.