Prevent WordPress' default input sanitization

Question

Whenever I get an input from a <textarea> or an input filed, WordPress sanitize my input and escape all special characters. How can I disable this feature? For example, if I have the following html code that accept a C++ code such as cout<<"hello world"; WordPress will convert it to cout<<\"hello world\";.

<!--HTML code-->
<form action="/action.php" method="post">
  <input type="text" name="mycode" value="cout<<'hello world';">
  <input type="submit" value="Submit">
</form>

.

<?php
    //PHP code for action.php file
    echo $_POST['mycode'];//This output will have all the special characters escaped
    //I need this to give me the original text entered by the user without /s. 
?>

I am using WordPress version 5.7.2. Any time I use a special characters like \, ', " They will get \ in front of them. I have tried this using different WordPress themes and the result is still the same. If I use stripcslashes($_POST['mycode']) this get ride of these \. But was wondering if there is a way to stop WordPress from doing this from the start. Following shows an image of the input and output I get.

Hi, you mean while saving the value in database ? because $_POST['mycode']; will give the exact value without sanitize. if it's sanitizing while saving in database then it's better to save the value in serialized array format. — Shaikh Aejaz Ahmed, Jun 23 '21 at 17:42
@ShaikhAejazAhmed Thank you for the reply. I am not saving these input values in a database. `$_POST['mycode'];` will give exact value without sanitize it if I use another non WordPress website. However, if I have this inside a WordPress website, it gets sanitized automatically. I tried changing to different themes and still my input get sanitized. I am using WordPress version 5.7.2 — D P., Jun 23 '21 at 18:04
Can you show us how your action.php looks like? Which version of PHP are you using? Perhaps your webhost is forcing magic quotes in PHP which automatically escapes everything? Can you check magic quotes status with phpinfo()? — Wadih M., Jun 25 '21 at 23:16
Try to change the result of submission using variable and and replace it using: `$final_mycode = str_replace('\','',$result_value_mycode); echo htmlspecialchars($final_mycode);` — Joe Kdw, Jun 26 '21 at 00:18
@WadihM. I am using PHP Version 7.4.11. I didn't see a magic quotes been shown in my phpinfor(). Hosting sever I am using is `hostinger`. action.php file have the line `echo $_POST['mycode'];` — D P., Jun 26 '21 at 01:10
are you looking to disable this sanitization across the board for everything - or just for certain element names? — Kinglish, Jun 26 '21 at 05:55
Can someone explain why `stripslashes()` isn't an option? I see there was a deleted answer in this direction already. — Carsten Massmann, Jun 26 '21 at 06:43
I can't close it while the bounty is open, but I believe this is a duplicate of https://stackoverflow.com/questions/8949768/with-magic-quotes-disabled-why-does-php-wordpress-continue-to-auto-escape-my — IMSoP, Jun 26 '21 at 08:53

score 2 · Answer 1 · answered Jun 26 '21 at 14:29

2

stripslashes_deep($_POST['mycode']) should work. This WordPress function uses the PHP built in function stripslashes, while looping through an array or object. See the code reference for more information.

WordPress is adding these slashes is for backwards compatibility of magic quotes. There has been some discussion about this for the past 10 years as you can tell from this bug report.

answered Jun 26 '21 at 14:29

Dirk J. Faber

4,360
5
20
58

Thanks, was going over this for about two days. – tiago calado Oct 03 '22 at 18:16

score 1 · Accepted Answer · answered Jun 26 '21 at 06:22

Here's an insanely simple hack-y idea

At the top of /index.php, before WP gets it's greedy little fingers on your incoming data, add this line:

$_SPOST = null;
if (isset($_SERVER['REQUEST_METHOD']) && strtoupper($_SERVER['REQUEST_METHOD']) === 'POST') {
   $_SPOST = $_POST;
}

Then whenever you know you'll be passing code content back to the browser

<?php
    //PHP code for action.php file
    echo $_SPOST['mycode'];//This output will have all the special characters escaped
    //I need this to give me the original text entered by the user without /s. 
?>

But wait, there's more.. we can hook back up within the wordpress ecosystem and transform our post after it's been fiddled with and sanitized.

This page gave me the idea to use parse_request, which fires once all query variables for the current request have been parsed.

function use_spost() {
  if (isset($_SPOST)) $_POST = $_SPOST;
}
add_action('parse_request', 'use_spost', 1);

Thank you for all of your comments and answers – D P. Jun 26 '21 at 19:22 — D P., Jun 26 '21 at 19:22

score 0 · Answer 3 · answered Jun 25 '21 at 22:21

0

You should be able to use the sanitize_text_field filter:

/*
* Filters the output from sanitize_text_field
* @param $filtered string - the sanitized string
* @param $original_string string - the original unsanitized string
*
* @return string - the unsanitized string
*/
add_filter( 'sanitize_text_field', static function( $filtered, $original_string ) { return $original_string; }, 10, 2 );

Basically, rather than returning the filtered string through the private _sanitize_text_field method, you return the original string that was passed into the input.

You can do the same thing for textareas using: sanitize_textarea_field

answered Jun 25 '21 at 22:21

disinfor

10,865
2
33
44

Thank you for this answer. I assume this code you provided need to be placed somewhere in the `wp-includes/formatting.php` folder? Or do I need to edit some of their existing functions for sanitizing. – D P. Jun 26 '21 at 01:01
1

you can add it to your theme's functions.php or in your plugin files. – Cornel Raiu Jun 26 '21 at 01:02

Prevent WordPress' default input sanitization

3 Answers3

Linked