2017-03-08, 10:46 PM
I assume the answer is yes, but these things are important to get right
If I put $mybb->user['username'] in some template code, it will substitute that with the logged-in user's username.
What sanitization is done behind the scenes before that is inserted into the page HTML? The kind of thing I'm thinking of doing is creating a form section on a page, where the username would be the value of a hidden form input. I obviously want to work safely, avoiding any risks of injection or data exposure - and certain characters in usernames (such as ', ", or >) would obviously be undesireable.
Am I correct to assume that this kind of thing has already been taken care of by the MyBB engine by the time the $mybb->user array is formed?
If I put $mybb->user['username'] in some template code, it will substitute that with the logged-in user's username.
What sanitization is done behind the scenes before that is inserted into the page HTML? The kind of thing I'm thinking of doing is creating a form section on a page, where the username would be the value of a hidden form input. I obviously want to work safely, avoiding any risks of injection or data exposure - and certain characters in usernames (such as ', ", or >) would obviously be undesireable.
Am I correct to assume that this kind of thing has already been taken care of by the MyBB engine by the time the $mybb->user array is formed?