skip to Main Content

Whenever I get an input from a <textarea> or an input filed, WordPress sanitize my input and escape all special characters. How can I disable this feature? For example, if I have the following html code that accept a C++ code such as cout<<"hello world"; WordPress will convert it to cout<<"hello world";.

<!--HTML code-->
<form action="/action.php" method="post">
  <input type="text" name="mycode" value="cout<<'hello world';">
  <input type="submit" value="Submit">
</form>

.

<?php
    //PHP code for action.php file
    echo $_POST['mycode'];//This output will have all the special characters escaped
    //I need this to give me the original text entered by the user without /s. 
?>

I am using WordPress version 5.7.2. Any time I use a special characters like , ', " They will get in front of them. I have tried this using different WordPress themes and the result is still the same. If I use stripcslashes($_POST['mycode']) this get ride of these . But was wondering if there is a way to stop WordPress from doing this from the start. Following shows an image of the input and output I get.

enter image description here

3

Answers


  1. You should be able to use the sanitize_text_field filter:

    /*
    * Filters the output from sanitize_text_field
    * @param $filtered string - the sanitized string
    * @param $original_string string - the original unsanitized string
    *
    * @return string - the unsanitized string
    */
    add_filter( 'sanitize_text_field', static function( $filtered, $original_string ) { return $original_string; }, 10, 2 ); 
    

    Basically, rather than returning the filtered string through the private _sanitize_text_field method, you return the original string that was passed into the input.

    You can do the same thing for textareas using: sanitize_textarea_field

    Login or Signup to reply.
  2. Here’s an insanely simple hack-y idea

    At the top of /index.php, before WP gets it’s greedy little fingers on your incoming data, add this line:

    $_SPOST = null;
    if (isset($_SERVER['REQUEST_METHOD']) && strtoupper($_SERVER['REQUEST_METHOD']) === 'POST') {
       $_SPOST = $_POST;
    }
    

    Then whenever you know you’ll be passing code content back to the browser

    <?php
        //PHP code for action.php file
        echo $_SPOST['mycode'];//This output will have all the special characters escaped
        //I need this to give me the original text entered by the user without /s. 
    ?>
    

    But wait, there’s more.. we can hook back up within the wordpress ecosystem and transform our post after it’s been fiddled with and sanitized.

    This page gave me the idea to use parse_request, which fires once all query variables for the current request have been parsed.

    function use_spost() {
      if (isset($_SPOST)) $_POST = $_SPOST;
    }
    add_action('parse_request', 'use_spost', 1);
    
    Login or Signup to reply.
  3. stripslashes_deep($_POST['mycode']) should work. This WordPress function uses the PHP built in function stripslashes, while looping through an array or object. See the code reference for more information.

    WordPress is adding these slashes is for backwards compatibility of magic quotes. There has been some discussion about this for the past 10 years as you can tell from this bug report.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search