Echo JavaScript Safely

What you’re asking for is impossible, there is no such thing as a safe javascript entry box.

Even if we strip out extra script and style tags, it’s pointless, as the javascript code itself is inherently dangerous, and can create any elements it wants using DOM construction, e.g.:

var s = jQuery( 'script', { 'src': 'example.com/dangerous.js' } );
jQuery('body').append( s );

Or

var s = jQuery( 'link', {
    'rel': 'stylesheet',
    'type': 'text/css',
    'href': 'example.com/broken.css'
} );
jQuery('body').append( s );

Nevermind something that steals your login cookies, etc. Javascript is inherently dangerous, and what you’re trying to implement is an attack vector. This isn’t because people might break out of javascript, but because the javascript itself is potentially dangerous

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. Sanitatizing when using the posts_where hook
  10. Escape hexadecimals/rgba values
  11. Must I serialize/sanitize/escape array data before using set_transient?
  12. wp_kses ignore allowed and allow everything
  13. Sanitize array callback for the WordPress Settings API
  14. How to escape $_GET and check if isset?
  15. What’s a safe / good way to output HTML safely within WordPress templates?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. How safe / sanitized is wp_insert_posts()?
  26. What’s the difference between esc_* functions?
  27. Sanitizing integer input for update_post_meta
  28. Which KSES should be used and when?
  29. Is sanitize_text_field() is enough to save to DB?
  30. Escaping quotes from shortcode attributes
  31. How to sanitize select box values in post meta?
  32. WP doesn’t show Array Custom Fields?
  33. Do Cookies Need to be Sanatized Before Being Saved?
  34. What is the difference between strip_tags and wp_filter_nohtml_kses?
  35. Sanitizing post content for use in an email
  36. How to get input_attrs in the sanitize function?
  37. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  38. I’m confused about URL sanitization in meta boxes
  39. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  40. where to apply “apply filters” and other Sanitization Functions
  41. How to save html and text in the database?
  42. Multiple register settings, with same option name – issue
  43. Is default functions like update_post_meta safe to use user inputs?
  44. vs WordPress Security
  45. Who is responsible for data sanitization in WordPress development?
  46. How to sanitize user input?
  47. Change filename during upload
  48. How to sanitize my cookie name
  49. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  50. wpdb get_results() and prepare when to use prepare?
  51. WordPress Settings API – Sanitize Integer
  52. Preserve old values on error in setting API
  53. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  54. CSS from textarea in options page to frontend what to do
  55. How to get rid of shortcodes in post content once and for all
  56. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  57. What is the safe way to print tracking code / pixel code before tag or tag
  58. How to use sanitize_callback?
  59. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  60. Are all hooks/functions tied to Kses meant for sanitization?
  61. sanitize_text_field and apostrophe problem
  62. Getting error to display radio button value in General Settings page
  63. Escaping date string in url with wordpress
  64. WordPress messes up with data attributes in shortcode output
  65. Does meta-data need to be sanitized?
  66. textarea field is getting escaped for some unknown reason
  67. Can A Post Meta Field Store multiple values that are not in an array?
  68. esc_attr on get_post_meta [closed]
  69. Do we need to escape data that we receive from theme options?
  70. Input sanitation
  71. Sanitize user input fields before wp_insert_post
  72. How WordPress sanitizes post content on save? Or it doesn’t?
  73. Function sanitize_title() does not appear to be working
  74. Restrict characters in comment section
  75. Toggle Shortcode Sanitize Title
  76. How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
  77. Sanitizing URL in a WordPress plugin
  78. How to allow arbitrary inline CSS in posts?
  79. how to sanitize customizer checkbox control
  80. Trouble matching strings (titles) using wp_query
  81. Sanitize WordPress Array Input?
  82. How to save Checkbox-Options in Plugin Options Page
  83. Customizer textarea with script tag won’t work in live preview
  84. do I need to sanitize a shortcode’s function input?
  85. Data not displaying in text field
  86. Array/List Edit in Backend
  87. Escaping and sanitization
  88. Escaping WP_Query tax_query when term has special character(s)
  89. Proper Way to Sanitize Meta Input
  90. Comparing pre-saved post_title to post-saved post_title
  91. Save selectlist value (taxonomy) in wp:wp_set_object_terms
  92. Settings api sanatize callback not being triggered
  93. Auto post with filling templates from external data and update periodical
  94. Notice: Undefined index: in options-framework.php
  95. Sanitizing a custom query’s clauses
  96. Customizer sanitize_callback for input type number
  97. How to use esc_attr__() function properly to translate a variable that contains string?
  98. oneOf two possible objects in WP REST API?
  99. How can I properly sanitize the update_option in WordPress?
  100. Extend file format support for post thumbnails