Hi,
Can we stop accepting PHP, shell scripts in the input text box in moodle?
It can be possible anyone can run the PHP script can harm the server level.
Moodle's code is careful to santise inputs and outputs to prevent code injection attacks. However, it doesn't prevent code being entered into inputs like this, as it may be a legitimate use of the tool. If you are running a programming course, or a database management course, then answers may include programming code or SQL. There are even plugins which do deliberate execute entered code on the server, in a sandbox with appropraite security measures.
If you believe you have found a case where code entered into a form is actually being exectued on the server or the user's browser, please follow the procedure for reporting security issues, either using the security reporting form or the issue tracker.
So you entered a string into Moodle, exported the data as a file, opened that file in Excel, and Excel executed the string? That feels more like an issue with Excel than Moodle, but it would probably be good if data exported to spreadsheets was escaped so that it wasn't treated as executable (just like we do when outputting to a web page). I'd suggest creating a tracker issue with the example you've described above.