I've just been implementing a comment system, which allows limited subset of Markdown formatting. I decided to store both original document and the resulting html, which goes through escaping, markdown and htmlpurifier, which strips everything unwanted. When the comment is edited, user gets the original document and the html version is shown on the site. It would be safer to do the html when outputting, but I decided this way for better performance.
Most applications these days are more read-intensive, so there's a good pay-off for performing data processing as it's being prepared for storage. And I've been reminded (the hard way) time and again that the sooner I clean/correct data, the less likely it is to hurt me later.