storing javascript in text area

This topic has 10 replies, 2 voices, and was last updated 5 years ago by Anh Tran.

Viewing 11 posts - 1 through 11 (of 11 total)

Author

Posts
December 14, 2019 at 11:13 AM #17450
[email protected]
Participant
I remember that for security you've disabled storing javascript in a textarea, but you gave me a workaround that I can no longer find. I want to have the user store some html in a custom field in a Post, then use Beaver Themer to connect to that code and insert it into an html module on the Post Singular BB template.

Here's a sample of the code (only the data-id value changes on every Post)
```
<div class="into-container gn-immune cleanslate">
    <a href="https://embed.lookin.to/badge/badge.bundle.js">https://embed.lookin.to/badge/badge.bundle.js</a>
</div>
```
How can I do that?

Add New Note to this Reply
March 20, 2020 at 3:12 AM #18593
[email protected]
Participant
I looked at the documentation but I'm still having disabling sanitize for textarea field using the following code, can you point out what I'm doing wrong?
```
add_filter( 'rwmb_meta_boxes', function( $meta_boxes ) {
    $meta_boxes[] = [
        'title' => 'Team Field Group',
        'fields' => [
            [
                'type'              => 'textarea',
                'id'                => 'embed_code',
                'name'              => 'Widget Embed Code',
                'sanitize_callback' => 'none',
            ]
        ],
    ];
    return $meta_boxes;
} ); 
```
Add New Note to this Reply
March 20, 2020 at 3:18 AM #18594

[email protected]
Participant

Add New Note to this Reply

March 20, 2020 at 3:51 AM #18595
[email protected]
Participant
another example that doesn't work:
```
add_filter( 'rwmb_meta_boxes', function( $meta_boxes ) {
    $meta_boxes[] = [
        'title' => 'Story Field Group',
        'fields' => [
            [
                'type'              => 'textarea',
                'id'                => 'textarea_6dgymvsrfq5',
                'name'              => 'Full code snippet',
                'sanitize_callback' => 'none',
            ]
        ],
    ];
    return $meta_boxes;
} );
```
Add New Note to this Reply
March 20, 2020 at 5:03 PM #18605

Anh Tran
Keymaster

Hi,

I've tested and seen that the HTML data is stored correctly, and outputted correctly. Please see my video:

https://www.loom.com/share/9a597fe6bee64a6da559123dc84f4993

Maybe what you want is executing the script, not outputting its URL? Is that the script tag or a tag?

Add New Note to this Reply

March 21, 2020 at 8:25 AM #18619

[email protected]
Participant

Wow! That was so simple!!

In reviewing the documentation regarding sanitization it was not clear that you can override the sanitization on any custom field you create by simply adding a "sanitize_callback" Attribute with the value= "none" in the Advanced tab on that field.

No coding necessary, nothing to add to the functions.php file, etc.

Could you somehow make this solution more visible in the documentation?

Thank you very much for staying with me on this and showing me how to solve my problem.

Hope you and everyone close are healthy and continue to stay healthy.

Pieter

Add New Note to this Reply

March 21, 2020 at 9:49 AM #18621

Anh Tran
Keymaster

Hi Pieter,

Thanks for your suggestion regarding the docs. I've just updated it here.

Add New Note to this Reply

March 21, 2020 at 12:19 PM #18627

[email protected]
Participant

That’s a little more clear, but what’s missing is the screenshot showing how you can apply the sanitize_callback none so easily in a custom field advanced tab UI.

You say this:

Bypass The Sanitization

If you don’t want to sanitize the input value for a specific field (we don’t encourage this, obviously), then simply set the sanitize_callback to none:

And then you show the resulting code, but you never show where or how you set the sanitize_callback to none!

For me at least, I had no idea you could do that, and nowhere in the docs that I could find was a suggestion to use the advance tab attributes to do this. Maybe this is obvious to you, but I participate in a weekly WordPress support group that has PHP and JavaScript engineers, WordPress experts, and nobody could figure out how to do it. One of the reasons I use metabox and beaver builder and beaver Thiemer is to avoid hand coding. The actual solution is so simple and elegant, but it is not intuitive.

Thanks again for making such a great product.

Add New Note to this Reply

March 23, 2020 at 10:14 AM #18660

Anh Tran
Keymaster

Thanks a lot! I added a screenshot on that page, and also on field settings page.

Add New Note to this Reply

March 23, 2020 at 11:33 AM #18664

[email protected]
Participant

That’s perfect +1

I made a blog post about it on my website too

https://wp-website-coach.com/code-snippet/storing-javascript-in-a-metabox-io-custom-field-textarea/

Add New Note to this Reply

March 23, 2020 at 4:29 PM #18666

Anh Tran
Keymaster

That's awesome! Thanks for sharing with other people!

Add New Note to this Reply
Author

Posts

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.