How to securely set dynamic HTML content with JavaScript?

Using wp_kses_post to escape the texts before setting them in wp_add_inline_script is a good approach to prevent malicious content from being added to the page. This will ensure that the text is properly sanitized and only contains allowed HTML tags and attributes.

If you want to allow certain HTML tags and attributes, you can use wp_kses instead of wp_kses_post and pass an array of allowed tags and attributes as a second argument.

Using element.innerHTML to set the contents of the elements is generally safe, as long as the content being set has been properly sanitized. In this case, since you are using wp_kses_post (or wp_kses with an appropriate set of allowed tags and attributes) to sanitize the text, it should be safe to use element.innerHTML.

Related Posts:

  1. SecurityError: Blocked a frame with origin from accessing a cross-origin frame
  2. What does wp-embed.min.js do in WordPress 4.4?
  3. How to use wordpress default Password Strength Meter script
  4. Register and enqueue conditional (browser-specific) javascript files?
  5. wp_enqueue_script() not working at all
  6. How to dequeue a script?
  7. Any advantage of using wp_scripts and is_IE when enqueuing scripts
  8. How to use wp_localize_script in custom page template?
  9. How to use Head JS with all enqueued scripts?
  10. wp_enqueue_script : how to change loading order of scripts?
  11. Remove extra Google Maps script
  12. What does wp-list.js do?
  13. Include jQuery UI as a whole
  14. How to echo JS right after enqueued script to put it into noConflict mode?
  15. Combine enqueue js without affecting dependencies
  16. Load multiple Javascript scripts
  17. WP script versioning breaks cross-site caching?
  18. wp_localize_script with boolean and init
  19. wp_register_script multiple identifiers?
  20. require.js to load javascript
  21. wp_enqueue_script isn’t connecting my custom js file
  22. TinyMCE in a div / textarea on frontend?
  23. How to add extra attributes to the script tag added via wp_localize_script()
  24. How do I enqueue(or delay loading of) tags in individual page posts?
  25. Include Javascript as Plain (No file inclusion)
  26. Move all the JS files to the bottom|footer, the right way
  27. Javascript not working?
  28. wp_enqueue_script adds only the first script
  29. How to add JavaScript file using wp_enqueue_scripts?
  30. Is it mandatory to enqueue any kind of Javsacript?
  31. wp_enqueue_script & constants?
  32. Can the index.asset.php file be used with the enqueue_block_editor_assets action?
  33. wp_enqueue_scripts is not working in my plugin
  34. How to place script in footer?
  35. Exclude JS file from 404 error page
  36. Building a slide down search box in wordpress
  37. Enqueue script if screen is greater than 500
  38. Script Localization doesn’t work
  39. Enqueue Javascript After ALL Other Scripts (Including Async Scripts)
  40. Enqueue js script to footer
  41. Enqueueing a script and a style sheet not working
  42. Adding a Javascript slideshow to the home page
  43. Is there a way to check for an attribute of a script when using script_loader_tag?
  44. Enqueue scripts all over but not in single.php
  45. Authentication with the Rest API when using an External Application
  46. Override do_item() Function to Add Extra Attribute to Scripts
  47. Proper way to enqueue a generated script that isn’t in a .js file?
  48. Enqueue scripts based on browser width?
  49. wp_enqueue_script not loading my custom js file
  50. Correctly enqueue scripts of type=text/paperscript (PaperJs Library)
  51. disable tags on wordpress text editor
  52. Scripts not loading through function Method in WordPress Theme
  53. How to execute Javascript on a WordPress page?
  54. Why is JavaScript being added to header as application/oembed?
  55. wp_enqueue_scripts not enqueing correctly
  56. Video script issue, JavaScript attribute remains ‘undefined’
  57. Javascript on Registration Page
  58. Do I just put the html in a page when enqueueng or do I also have to reference js file from the html page [closed]
  59. Should I manually resolve WP Core File security issues or await a subsequent WP release?
  60. Javascript asset not enqueuing with the rest
  61. Add crossorigin to SCRIPT tag
  62. Getting a variable inside foreach from PHP to JS after localization
  63. How do I know if I should enqueue JS code or just include it in ONE PHP function?
  64. Including Styles and JS files to work ON my plugin interface
  65. Linking wp_enqueue can’t find the javascript file (adds “?ver=x.x.x” to the src)
  66. Failing to load my script files in wordpress! i can’t figure out what i’m doing wrong
  67. Setting Variable Path to Template Directory inside Script
  68. wp_enqueue_script does not recognize my js file?
  69. What to include to use jQuery UI Auto Complete
  70. Bootstrap bundle present in page source but not working
  71. Dynamically add Js
  72. JS / jQuery in Elementor pages vs JS file
  73. Load JavaScript on specific page with @wordpress compiler
  74. How to load Javascript code or functions.php later in a child theme?
  75. Enqueued script fails
  76. Script Loaded in WordPress but won’t run
  77. How to pass data to javascript in custom widget class
  78. Loading two versions of same JS libary
  79. Proper way of minifiying java script files in wordpress theme
  80. How to register or enqueue script and stop it being called in head?
  81. Adding javascript script to header via functions.php
  82. How to delay display of page elements until enqueued script has injected html
  83. load-scripts.php loads incorrect file names
  84. Enqueue concatinated JS file in WordPress
  85. wp_enqueue_scripts doesn’t work for template pages
  86. JavaScript and Google PageSpeed + wp_enqueue_script
  87. Javascript file doesn’t load
  88. Put dynamic Javascript in header after doing operations
  89. early enqueueing javascript file in page template, not in functions.php
  90. Dequeue set-post-thumbnail.min.js
  91. jQuery + more won’t load in header
  92. JS enqueue path (localhost)
  93. Why can’t I load JS script in a plugin?
  94. Script loaders vs wp_enqueue_script
  95. convertEntities() used before it is defined
  96. JavaScript file successfully registered but does not render correctly
  97. wp_enqueue has a resource but doesn’t generate a script tag [duplicate]
  98. Orbit Slider and Events Manager Plug-in JavaScript
  99. Securing Contact Form 7 [closed]
  100. Uncaught ReferenceError: tippy is not defined