Stripslashes in textarea in a WordPress plugin option

Working on a WordPress plugin today I found that when HTML was added within a ‘textarea’, backslashes (\) were being added to the code wherever there was an apostrophe or quotation mark.

After hunting down a solution by searching for things like:

wordpress text stripslashes
wordpress stripslashes in textarea
wordpress slashes in textarea
wordpress plugin options textarea slashes

etc. etc. etc.!

I tried a suggestion which is supposed to disable PHP magic quotes, found in this article:

Getting rid of unwanted backslashes in WordPress form input from fearlessflyer.com

<?php 
if ( get_magic_quotes_gpc() ) { 
$_POST = array_map( 'stripslashes_deep', $_POST ); 
$_GET = array_map( 'stripslashes_deep', $_GET ); 
$_COOKIE = array_map( 'stripslashes_deep', $_COOKIE ); 
$_REQUEST = array_map( 'stripslashes_deep', $_REQUEST ); 
} 
?>

Unfortunately this didn’t work, and there’s a warning at WordPress.org about this stripslashes_deep method being unreliable:

“Please Note: On any page load where WordPress itself loads, the above example will be unreliable. Very early in its execution, WordPress intentionally adds “magic quotes” for the sake of consistency. This is regardless of the return of get_magic_quotes_gpc(). Core code, and plugins all over, expect the values of $_REQUEST etc to be escaped.”

The solution to the problem of backslashes in a textarea in a WordPress plugin…

I eventually found the solution from this post on the WordPress forum where Rev. Voodoo was having the backslashes problem on text input, but NOT on textareas – so I just took a look at the method he used on the textarea’s and copied that.

When you echo the option in to the textarea, that’s where you add your ‘stripslashes’ code, like so:

<textarea name="myplugin_options[mytextarea-option]" rows="7" cols="57" type='textarea'><?php echo stripslashes($options['mytextarea-option']); ?></textarea>

And voila! Backslashes are no more :)

But then – I had a problems displaying the options in my theme on the front end of the site. First, the HTML code was printing as escaped entities (I think that’s the correct way to describe it…) – meaning on my page I could see the ‘< p >‘ and ‘< a href' etc. as text rather than them being displayed as a regular HTML paragraph and anchor, and I was getting backslashes again. This is the code I was originally using to display the option in my theme:

<?php 
$options = get_option('myplugin_options');
$mytextareaoption = $options['mytextarea-option'];
echo "{$mytextareaoption}";
<?php>

And this is the updated code I used to display the option in my theme, without any HTML escaping errors or backslashes:

<?php 
$options = get_option('myplugin_options');
$mytextareaoption = $options['mytextarea-option'];
esc_html( $mytextareaoption );
echo stripslashes ( "{$mytextareaoption}" );
?>

And voila again! No HTML errors or backslashes on the front end :)

For reference: this article about Data Validation at WordPress.org is really informative. Although, there are so many options it can a bit overwhelming understanding which one is best to use in a situation. Nevertheless, it’s definitely worth a read to help us learn more about WordPress development.

Comments are closed.