In a forum type environment how do you stop users typing bits of code in which could be executed next time the post is viewed. I am assuming for example if I type a bit of php in this forum as below it will not be executed.
<?php echo("test text"); ?>What about HTML.
| test table |
I’m not big on javascript but again could this pose a risk of execution if some malicious code was posted in a forum post. How is this protected against?
I don’t know about this forum, but I’d guess it does it this way (as it was how I did it in a forum I wrote years ago)
You type in
what actually gets stored in the database is
I believe Xojo inc. is following those procedures: https://www.owasp.org/index.php/Top_10_2013-Top_10
Thanks folks,
Dave, I am using this approach using PHP’s htmlentities. John, great website,I will run through their list and follow some of the advice.