thanks hugh,
you're right that it is not fabrik.
i've discovered that sourceerer (from regular labs) processes everything in joomla by default when the plugin is on. form text, and even form input that is output/included when the form is loaded. this seems like really dangerous behaviour to me, but they're not seeing it that way. so i could type php code, invoking sourcerer that does bad stuff into any joomla form on any site that uses sourcerer. yikes! their response is that i can turn it off by component. so i could turn off fsourcerer for fabrik. but it's all or nothing and i use php code in my form and list heading text...
they have hardcoded/removed the known/common joomla forms by form id like the logon and contact form and all joomla forms, but forms on other components that don't happen to use one of their hardcoded form ids are all processed. they feel it's a feature. and maybe it is, but should be able to be turned off and shouldn't be the default for unsuspecting users.
but they did take some quick action to provide a solution that is not perfect but is workable if you are aware of it. to accomodate me they have added a class 'no-sourcerer' that if ttat's on the form (in their development/beta version for now). seems pretty easy to remove in inspector though...
anyway, perhaps this is something other fabrik users (that happen to use sourcerer) should be aware of. but on the other hand, we don't want to expose a vulnerability that others have nto locked down.
if you could add a way to add a 'class' to a form, that would be great, but since i don't think there is an easy way, i have added class = 'no-sourcerer' to my fabrik templates to protect my forms. (bootstrap_no-sourcerer) to get around this imo dangerous default behavior.
AND THE BEST DEFENSE is that sourcer allows you to override their default tag. so instead of {source}<?php ...code...?>{/source}, you can change that to {fubar} or whatever. that's the most quick and simple security against this behavior being used against you by people that don't know your plugin word.