I am using the CKEditor to let the users post their comments. I am not using the bbcode in my forum. If I hide the source button of CKEditor and do the following steps
- use htmlspecialchars() function to handle the html elements
- user parse_url to ensure that the data has been submitted from my own domain
Am I securely handling the user submitted data? Do I still need to use bbcode? What more steps should I take to make my application more secure.