WordPress.org

1. sacher
   Member
   Posted 11 months ago #

   Hi,
   I'm creating a new theme and want to pass the aweber code to the home page by using an option panel where the user can paste the javascript code into a text box and this text will be echo where required.

   The code entered by the user in the text box (called mt_optin)will be

   <script type="text/javascript" src="http://forms.aweber.com/form/33/XXXXXXXXX.js"></script>

   To echo it I use

   <div id="optinbox">
   <?php echo get_option('mt_optin'); ?>
   </div>

   But the aweber opt in box in not showed. I guess it is because the echoed text includes a backslash after type= and src=

   <script type=\"text/javascript\" src=\"http://forms.aweber.com/form/33/420341433.js\"></script>

   Anyone can help me?

   Thanks in advance

2. Chip Bennett
   Member
   Posted 11 months ago #

   Since HTML, URLs, and JS are sanitized/escaped differently, I would have the user store only the script SRC in the option, rather than the entire script markup. That way, you can more-precisely sanitize and escape the user input:
   

   <div id="optinbox">
   <script
    type="text/javascript"
    src="<?php echo get_option( 'mt_optin' ); ?>"
   ></script>
   </div>

   Also, be sure to escape the user data on output:
   

   src="<?php echo esc_url( get_option( 'mt_optin' ) ); ?>"

   Also, I don't know how aWeber form script URLs work, but if the only part of the URL that changes is "XXXXXXXXX", you could simplify things even further, by having the user enter just this value as the Theme Option.

   And, you really should be storing your options as a single options array, e.g.
   

   $mt_options = get_option( 'mt_theme_options' );
   $mt_optin = $mt_options['optin'];

Reply

You must log in to post.