Securing CodeMirror - Preventing JavaScript and PHP Execution

I am currently working on a project that involves creating a simple template editor using CodeMirror. In this project, users can edit two sections: one for HTML and another for SCSS. The code from both editors is saved to a database and can be live previewed by the users.

My concern is the security of the application, particularly the potential for users to add or execute JavaScript and server-side PHP code within these editors. I want to ensure that the HTML editor only allows HTML code and the SCSS editor only allows SCSS code, without any potential for JavaScript or PHP execution.

I would appreciate any guidance, best practices, or suggestions on properly securing both editors to prevent users from adding or executing JavaScript and PHP code.

Thank you

The editor itself will not run any of its content as code, so as long as your code that works with the strings it retrieves from the editor doesn’t either, you should be okay. If you’re going to put the user’s code in a context where it will be executed, securing that depends entirely on how you are doing this execution, and I don’t think there’s many general practices that apply across situations.