Menu
Whenever I get an input from a <textarea> or an input filed, WordPress sanitize my input and escape all special characters. How can I disable this feature? For example, if I have the following html code that accept a C++ code such as cout<<"hello world"; WordPress will convert it to cout<<\"hello world\";.
<!--HTML code-->
<form action="/action.php" method="post">
<input type="text" name="mycode" value="cout<<'hello world';">
<input type="submit" value="Submit">
</form>
.
<?php
//PHP code for action.php file
echo $_POST['mycode'];//This output will have all the special characters escaped
//I need this to give me the original text entered by the user without /s.
?>
I am using WordPress version 5.7.2. Any time I use a special characters like \, ', " They will get \ in front of them. I have tried this using different WordPress themes and the result is still the same. If I use stripcslashes($_POST['mycode']) this get ride of these \. But was wondering if there is a way to stop WordPress from doing this from the start. Following shows an image of the input and output I get.
932
You can sanitize the input data with the sanitize_text_field () function: Remember, rely on the WordPress API and its help functions to assist with securing your themes. Whenever you’re outputting data make sure to properly escape it.
This style of validation most closely follows WordPress' whitelist philosophy: only allow the user to input what you're expecting. Luckily, there's a number of handy helper functions you can use for most every data type. Sanitization is a bit more liberal of an approach to accepting user data.
We could sanitize the data with the sanitize_text_field () function: $title = sanitize_text_field ( $_POST ['title'] ); update_post_meta ( $post->ID, 'title', $title ); The sanitize_* () class of helper functions are super nice for us, as they ensure we're ending up with safe data and require minimal effort on our part:
The form echoes back the user’s input so that the fields are already completed with their prior input. But there is no input sanitization – the code simply repeats the exact input from the user. Now suppose the user entered this data into the “comment” field:
Here's an insanely simple hack-y idea
At the top of /index.php, before WP gets it's greedy little fingers on your incoming data, add this line:
$_SPOST = null;
if (isset($_SERVER['REQUEST_METHOD']) && strtoupper($_SERVER['REQUEST_METHOD']) === 'POST') {
$_SPOST = $_POST;
}
Then whenever you know you'll be passing code content back to the browser
<?php
//PHP code for action.php file
echo $_SPOST['mycode'];//This output will have all the special characters escaped
//I need this to give me the original text entered by the user without /s.
?>
But wait, there's more.. we can hook back up within the wordpress ecosystem and transform our post after it's been fiddled with and sanitized.
This page gave me the idea to use parse_request, which fires once all query variables for the current request have been parsed.
function use_spost() {
if (isset($_SPOST)) $_POST = $_SPOST;
}
add_action('parse_request', 'use_spost', 1);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
