Saving unescaped HTML/JS in a plugin form (2 posts)

  1. salientdigital
    Posted 4 years ago #

    I built a custom plugin following all the Data Validation and Security recommendations on the Codex. Everything is working great. Now I need to add a field that lets an admin user paste in HTML and Javascript code.

    Trouble is, my $wpdb->update( ) function call is escaping the code and adding a backslash in front of every quote when I save it. E.g.

    <script type="text/javascript">...

    upon saving, and inspecting the database, becomes...

    <script type=\"text/javascript\">...

    Can I suppress this somehow? Or does this mean I have a configuration problem on my site/server? I guess I never tried saving data in any of the fields with a quote in it until now.

    I have magic quotes off but I read WP turns them on and escapes all the input anyway...

  2. Workshopshed
    Posted 4 years ago #

    The normal way to handle this is to escape the code on entry to the DB then unescape it when you need to display it.

    However you might be able to make it work by using $wpdb->query and writing the SQL update statement long hand.

Topic Closed

This topic has been closed to new replies.

About this Topic