Customize Plugin

I am trying to create custom welcome panel in dashboard for WP and can't see where I went wrong. It's not allowing me to add html.

Topic htmlspecialchars-decode php metabox Wordpress

Category Web

1
answered at

Your update_option should be inside a hook callback and should check to see if $_POST['custom_welcome_panel'] is set before trying to update the option. Otherwise that could be overwriting your option every time the page loads. And, honestly, as written I could shove anything I wanted into that option value. I'd just have to send a POST request to the site. It is very insecure.

Move your update_option into your function, check that it is set and not empty before trying to use it, and process it like post content, at least.

function custom_welcome_panel() {
    // register the setting
    if (!empty($_POST['custom_welcome_panel'])) {
        $option = wp_kses_post( $_POST['custom_welcome_panel'] );
        update_option('custom_welcome_panel', $option);
    }

    $customwelcome_panel = html_entity_decode(get_option( 'custom_welcome_panel' ));
    // the rest of your code

You should also be using nonces.

It looks like you might be hacking a core file (options.php), which is a very bad idea if true. If so, that hack will be overwritten the next time WordPress is updated, and your code stops working.

I tried this...

update_option('html_test', '<p><a href="yay">Does HTML WOrK?</a></p>');

... and the html is inserted just fine and it come back out just fine. So I took a look at the jQuery.

The problem is here:

jQuery("#welcome-panel").html("'.$customwelcome_panel.'")

Imagine what happens with that populated by my HTML:

jQuery("#welcome-panel").html("<p><a href="yay">Does HTML WOrK?</a></p>")

Notice you have two sets of " now. The quotes open before the <p> then close after href= and open again after yay. The problem is that there are stray characters in between. The following works but only if your markup is consistent and always uses "s around attributes.

jQuery("#welcome-panel").html(\''.$customwelcome_panel.'\').delay(300).fadeTo(\'slow\', 1);

Using addslashes would be more robust:

jQuery("#welcome-panel").html("'.addslashes($customwelcome_panel).'").delay(300).fadeTo(\'slow\', 1);

I am not sure how reliable that is going to be. I only spent five minutes testing it.

Put that together and I think that should work. I am not responsible for the security of your project or for the robustness of the solution. I am hacking this together from barely sufficient information, but it is pretty basic stuff.

Reference

http://codex.wordpress.org/Data_Validation

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.