Web Security

In a forum type environment how do you stop users typing bits of code in which could be executed next time the post is viewed. I am assuming for example if I type a bit of php in this forum as below it will not be executed.

<?php echo("test text"); ?>

What about HTML.

test table

I’m not big on javascript but again could this pose a risk of execution if some malicious code was posted in a forum post. How is this protected against?

I don’t know about this forum, but I’d guess it does it this way (as it was how I did it in a forum I wrote years ago)

You type in
what actually gets stored in the database is


so there is no “HTML code”… this would also protect <?PHP tags etc.

I believe Xojo inc. is following those procedures: https://www.owasp.org/index.php/Top_10_2013-Top_10

Thanks folks,

Dave, I am using this approach using PHP’s htmlentities. John, great website,I will run through their list and follow some of the advice.