As I have stated twice, it depends entirely on how you're saving this user input... wait, that's three times now XD
I'm going to guess your code is:
file_put_contents("submissions/".$_POST['name']."/index.html", $_POST['text']);
But if $_POST['name']
is ../
then you are saving their submission to submissions/..//index.html
... in other words you are overwriting the homepage of the site! And by allowing $_POST['text']
to be dumped in there with no safety just lets anyone do what they want.
Instead, you should be saving these submissions to a database, referencing them by an ID number, and using something like htmlspecialchars
to prevent input HTML from being processed.