[wp-hackers] User input in a WordPress Plugin
Mark Jaquith
mark.wordpress at txfx.net
Wed Oct 18 21:39:05 GMT 2006
On Oct 18, 2006, at 1:42 PM, Kirk Montgomery wrote:
> It looks like update_option is
> sanitizing the input an striping out dangerous input.
It shouldn't be. It could just be that you need to do:
> echo wp_specialchars(get_option('your_option'), true);
When you are printing out your backend <input />s You need to
convert HTML entities and quotes when inside a value="" parameter.
Still, Robert is right... if you want to allow some HTML and block
others, you should additionally be passing the output (on the front
end) through KSES to prevent things like script execution.
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list