[wp-hackers] User input in a WordPress Plugin

Kirk Montgomery clarke1866 at gmail.com
Fri Oct 20 17:14:41 GMT 2006


Thanks for the information all, it was exactly what I was looking for!

Cheers.

On 10/18/06, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> On Oct 18, 2006, at 1:42 PM, Kirk Montgomery wrote:
>
> > It looks like update_option is
> > sanitizing the input an striping out dangerous input.
>
> It shouldn't be.  It could just be that you need to do:
>
> > echo wp_specialchars(get_option('your_option'), true);
>
> When you are printing out your backend <input />s  You need to
> convert HTML entities and quotes when inside a value="" parameter.
>
> Still, Robert is right... if you want to allow some HTML and block
> others, you should additionally be passing the output (on the front
> end) through KSES to prevent things like script execution.
>
> --
> Mark Jaquith
> http://txfx.net/
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list