One additional thing: As discussed a lot in the last time, you should check „user generated content“ for malicious code – especially (or at least) if anonymous users can submit your form. The esc() helper method is your friend 
1 Like