In a forum type environment how do you stop users typing bits of code in which could be executed next time the post is viewed. I am assuming for example if I type a bit of php in this forum as below it will not be executed.
<?php echo("test text"); ?>
What about HTML.
I don’t know about this forum, but I’d guess it does it this way (as it was how I did it in a forum I wrote years ago)
You type in
what actually gets stored in the database is
so there is no “HTML code”… this would also protect <?PHP tags etc.
I believe Xojo inc. is following those procedures: https://www.owasp.org/index.php/Top_10_2013-Top_10
Dave, I am using this approach using PHP’s htmlentities. John, great website,I will run through their list and follow some of the advice.