WordPress already disallows the use of JavaScript in the editor for users without the unfiltered_html
capability. By default, only the Administrator and Editor roles have this capability. If necessary, you could remove this capability from Editor users as well. (It doesn’t make sense to remove it from Administrators, because they will still have the ability to install plugins, and thus execute whatever kind of code they want to.)
This code should do that for you:
function wpse_285333_remove_unfiltered_html_cap() {
$wp_roles = wp_roles();
$wp_roles->remove_cap( 'editor', 'unfiltered_html' );
}
// This function actually only needs to run once, so you can comment this out
// after loading the site once.
add_action( 'init', 'wpse_285333_remove_unfiltered_html_cap', 5 );
There are also plugins available to help with managing roles and capabilities.
Related Posts:
- Custom wp.editor.initialize settings ignored
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Remove inline linking tool
- How to wrap the content of the main tinyMCE editor with extra tags
- Add Item to Custom TinyMCE Menu
- How to get value of selected page template in Gutenberg editor?
- Strange gibberish JavaScript in Editor – site hacked?
- Close TinyMCE plugin window on click away
- Trouble adding JavaScript in visual editor (Sharpspring embed code)
- How can I get the standard WP-Editor through Javascript?
- Make TinyMCE checkbox that returns a value instead of true/false
- wp.editor.initialize does nothing
- Button insert link on front wp_editor not working
- JavaScript && operator in visual editor
- Authentication with the Rest API when using an External Application
- Media library not working with wp_editor() on the front end
- Popup box when Clicking on Insert into post button in wordpress
- wordpress 4.4 upgrade visual editor bullets select for not selected elements
- How to reference TinyMCE body in my script
- Change syntax styling of TinyMCE HTML Text Editor
- find out reason of “Updating failed” in Post-editor
- Should I manually resolve WP Core File security issues or await a subsequent WP release?
- How to stop javascript code being broken when going into visual editor
- How to make shortcode which returns HTML?
- How to use WP switchEditors.switchto(this) JS function in your own script?
- Cannot read properties of undefined (reading ‘show_ui’) Error on WordPress Post Editor
- VisualComposer/WPBakery Page Editor: Is any JS event triggered after the Edition pop-in is shown?
- Dynamically write in editor with Javascript
-   when I use ENTER for skipping line
- None of the JavaScript works when using wp_editor
- Securing Contact Form 7 [closed]
- Use add_action to run a script, but only on the post editor page
- How to securely set dynamic HTML content with JavaScript?
- Failed to load resource: the server responded with a status of 404 (Not Found)
- How to reload a page using JavaScript
- How can I do string interpolation in JavaScript?
- How do I test for an empty JavaScript object?
- Tallest Unicode character?
- How to solve ‘Redirect has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header’?
- jQuery setTimeout() Function [duplicate]
- Nested JSON objects – do I have to use arrays for everything?
- How to find the sum of an array of numbers
- JavaScript null check
- Remove Object from Array using JavaScript
- webpack: Module not found: Error: Can’t resolve (with relative path)
- HTML5 Local storage vs. Session storage
- What does href expression do?
- Give a value to an ng-model=”searchText” input based on list item clicked in Angular JS
- Expressjs / Node.js – res.redirect() not loading page
- Using async/await with a forEach loop
- How to check if two arrays are equal with JavaScript?
- What is causing the error `string.split is not a function`?
- Does JavaScript have a built in stringbuilder class?
- Pass react component as props
- How to fix Cannot find module ‘typescript’ in Angular 4?
- Origin null is not allowed by Access-Control-Allow-Origin
- using jQuery $(this).addClass not working, simple code not working
- How to get height of div in px dimension
- jQuery: Uncaught Error: Syntax error, unrecognized expression
- What is the difference between String.slice and String.substring?
- How to use in jQuery :not and hasClass() to get a specific element without a class
- Crop the image using JavaScript
- Only on Firefox “Loading failed for the script with source”
- How do you use a variable in a regular expression?
- How to embed a youtube playlist with a sidebar
- How to add a button dynamically using jquery
- External JavaScript Not Running, does not write to document
- Create a simple 10 second countdown
- Generate a Hash from string in Javascript
- Find a value in an array of objects in Javascript [duplicate]
- What does `node –harmony` do?
- How to load wp_editor via AJAX
- Preventing YouTube embeds loading multiple instances of player JS?
- How to handle malformed response from WP REST API?
- Use useSelect/useDispatch instead of withSelect/withDispatch
- Modals using loops and ACF [closed]
- Changes to JS not reflected on site
- How to set translations in javascripts for my plugin?
- How to make wordpress URLS google friendly for ajax driven sites?
- js addclass function not working as expected, intereaction or special WP somethign needed?
- Get a default value of the Customizer setting using wp.customize API (JS)
- Google PageSpeed Enable Compression isn’t working?
- How can I add Javascript in the header of all post pages and only post pages
- Is it safe use wp_editor in public contact form
- wp_enqueue_script not loading my custom js file
- How to locate a Javascript? It is there in HTML but not in any file [closed]
- Trigger wp-embed via JavaScript to refresh iframe preview?
- Malware gdjfgjfgj235f [closed]
- CDATA removing new line in script tag in wordpress
- How to run Javascript popup modal in a loop?
- Console Messages: A cookie associated with a cross-site resource at
- Is there an option to execute javascript file only on plugin deactivation
- Proper way of minifiying java script files in wordpress theme
- Hide show java script code not working in my custome post templete
- Enqueue concatinated JS file in WordPress
- Why can’t I load JS script in a plugin?
- Page template dynamic links based on browser size
- Block pattern conflict with custom block
- How to Update a variable even if the web page reloads in js
- How do i get an Inline style in Gutenberg Block show up in front end?