so wherever your variable is for your user_input
apply a whitelist that says only alphanumeric is allowed
disallow special characters from being reflected back in the response
you can create pseudo rich html tags and replace them in your code with the equivalent html tags, so that would stop injection attacks as well
i.e. if user wants to use , use method to replace your own defined syntax of [img] to , disallow everything else |
_
|