Wordpress - How to prevent escaping when saving HTML code in an option value?

I took another approach to this. I encoded and decoded my options with HTML entities. One thing I'm not sure of is whether this opens up a nasty back door for folks to drive compromising HTML through. I am relying on the fact that only admins will be editing theme options anyway, but maybe I'm being naive?

Here is what it looks like when I save an option:

update_option('my_option', htmlentities(stripslashes($_REQUEST['my_option'])));

And this is what it looks like when I retrieve an option:

html_entity_decode(get_option('my_option',htmlentities($my_default_value)));

stripslashes(wp_filter_post_kses(addslashes($_POST['sidebar_code'])));

but you should know that the kses filter is not 100% safe.

This isn't a complete answer to your question, but possibly pointing you in the right direction: You could try <?php esc_textarea( $text ) ?>, as detailed by the codex here: http://codex.wordpress.org/Function_Reference/esc_textarea.

My own metabox textarea snippets look like this:

<?php 
  if ( $meta_box['type'] == "textarea" ) {
    $meta_box_value = esc_textarea( get_post_meta($post->ID, $meta_box['name'].'_value', true) );
    echo '<textarea class="meta-textarea" style="width: 100%;" cols="20" rows="2" name="' . $meta_box['name'] . '_value">' . $meta_box_value . '</textarea><br />';
  }
?>

Wordpress - How to prevent escaping when saving HTML code in an option value?

Tags:

Escaping

Theme Options

Related

Recent Posts