How save JavaScript and HTML in option without it being auto-escaped?

Question

And there I thought I knew Wordpress well. It now seems that update_option() auto-escapes code. If I want to save some Javascript or HTML code in an option, this behavior renders the code unusable.

I refuse to do a str_replace on the returned value to filter out every backslash. There has to be a better way.

Here's the PHP for the text box to enter some code:

$option = unserialize(get_option('option'));

<textarea name="option[box]"><?php echo $option['box']; ?></textarea>

This is what happens after submitting the form (in essence):

update_option('option', serialize($_POST));

Any ideas?

Edit: I now got it to work by using PHP's stripslashes() where the script has to be rendered, and htmlentities(stripslashes()) in the text box to display the stored code. While this does the job, I'd still like to know if there is a better solution.

Answer 1

It now seems that update_option() auto-escapes code.

It only sanitizes the value for database entry. You'll find the real troublemaker is around line 750 in wp-settings.php, and the WP function add_magic_quotes().

Yep, you read that right, add magic quotes!

For some reason, WordPress decided to enforce magic quotes, so you'll always need to stripslashes on GET and POST when writing plugins and the like.