[wp-hackers] User input in a WordPress Plugin

Mark Jaquith mark.wordpress at txfx.net
Wed Oct 18 21:39:05 GMT 2006

On Oct 18, 2006, at 1:42 PM, Kirk Montgomery wrote:

> It looks like update_option is
> sanitizing the input an striping out dangerous input.

It shouldn't be.  It could just be that you need to do:

> echo wp_specialchars(get_option('your_option'), true);

When you are printing out your backend <input />s  You need to  
convert HTML entities and quotes when inside a value="" parameter.

Still, Robert is right... if you want to allow some HTML and block  
others, you should additionally be passing the output (on the front  
end) through KSES to prevent things like script execution.

Mark Jaquith

More information about the wp-hackers mailing list