johnpbloch
commented
12 years ago A better way to do this would be to use WordPress' native escaping function for ALL variable content, allowing correct rendering and preventing XSS attacks.
For textareas:
echo esc_textarea( $whatever );For attributes:
echo esc_attr( $whatever );For code that needs to be functional:
echo esc_html( $whatever );unless it's javascript, in which case:
echo esc_js( $whatever );And, of course, if it's a url:
echo esc_url( $whatever );
http://pea.rs/forms/multi-left-labels doesn't work but you can use htmlspecialchars() to the html section in the loop
<?php $key="html"; echo get_post_meta($post->ID, $key, true); ?>
to
<?php $key="html"; echo htmlspecialchars(get_post_meta($post->ID, $key, true)); ?>