How to prevent escaping when saving HTML code in an option value?

3 Views

I have a Theme Options page where the user can add certain options like Facebook links, etc. One of the options is for some ad code and when saving it as an option it gets escaped over and over again.

What’s the best approach for saving code inserted in an admin page <textarea> using update_option( 'sidebar_code', $_POST['sidebar_code'] ); ?

Post Views: 3

Related posts

Leave a Reply

3 comments

  2. I took another approach to this. I encoded and decoded my options with HTML entities. One thing I’m not sure of is whether this opens up a nasty back door for folks to drive compromising HTML through. I am relying on the fact that only admins will be editing theme options anyway, but maybe I’m being naive?

    Here is what it looks like when I save an option:

    update_option('my_option', htmlentities(stripslashes($_REQUEST['my_option'])));

    And this is what it looks like when I retrieve an option:

    html_entity_decode(get_option('my_option',htmlentities($my_default_value)));

  3. This isn’t a complete answer to your question, but possibly pointing you in the right direction: You could try <?php esc_textarea( $text ) ?>, as detailed by the codex here: http://codex.wordpress.org/Function_Reference/esc_textarea.

    My own metabox textarea snippets look like this:

    <?php 
  if ( $meta_box['type'] == "textarea" ) {
    $meta_box_value = esc_textarea( get_post_meta($post->ID, $meta_box['name'].'_value', true) );
    echo '<textarea class="meta-textarea" style="width: 100%;" cols="20" rows="2" name="' . $meta_box['name'] . '_value">' . $meta_box_value . '</textarea><br />';
  }
?>