storing javascript in text area

Support General storing javascript in text areaResolved

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #17450
    hartsook@gmail.com[email protected]
    Participant

    I remember that for security you've disabled storing javascript in a textarea, but you gave me a workaround that I can no longer find. I want to have the user store some html in a custom field in a Post, then use Beaver Themer to connect to that code and insert it into an html module on the Post Singular BB template.

    Here's a sample of the code (only the data-id value changes on every Post)

    <div class="into-container gn-immune cleanslate">
        <a href="https://embed.lookin.to/badge/badge.bundle.js">https://embed.lookin.to/badge/badge.bundle.js</a>
    </div>

    How can I do that?

    #18593
    hartsook@gmail.com[email protected]
    Participant

    I looked at the documentation but I'm still having disabling sanitize for textarea field using the following code, can you point out what I'm doing wrong?

    add_filter( 'rwmb_meta_boxes', function( $meta_boxes ) {
        $meta_boxes[] = [
            'title' => 'Team Field Group',
            'fields' => [
                [
                    'type'              => 'textarea',
                    'id'                => 'embed_code',
                    'name'              => 'Widget Embed Code',
                    'sanitize_callback' => 'none',
                ]
            ],
        ];
        return $meta_boxes;
    } ); 
    #18594
    hartsook@gmail.com[email protected]
    Participant

    disable sanatize for textarea code that's not working

    #18595
    hartsook@gmail.com[email protected]
    Participant

    another example that doesn't work:

    add_filter( 'rwmb_meta_boxes', function( $meta_boxes ) {
        $meta_boxes[] = [
            'title' => 'Story Field Group',
            'fields' => [
                [
                    'type'              => 'textarea',
                    'id'                => 'textarea_6dgymvsrfq5',
                    'name'              => 'Full code snippet',
                    'sanitize_callback' => 'none',
                ]
            ],
        ];
        return $meta_boxes;
    } );

    how textarea field is set up in field group

    #18605
    Anh TranAnh Tran
    Keymaster

    Hi,

    I've tested and seen that the HTML data is stored correctly, and outputted correctly. Please see my video:

    https://www.loom.com/share/9a597fe6bee64a6da559123dc84f4993

    Maybe what you want is executing the script, not outputting its URL? Is that the script tag or a tag?

    #18619
    hartsook@gmail.com[email protected]
    Participant

    Wow! That was so simple!!

    In reviewing the documentation regarding sanitization it was not clear that you can override the sanitization on any custom field you create by simply adding a "sanitize_callback" Attribute with the value= "none" in the Advanced tab on that field.

    No coding necessary, nothing to add to the functions.php file, etc.

    Could you somehow make this solution more visible in the documentation?

    Thank you very much for staying with me on this and showing me how to solve my problem.

    Hope you and everyone close are healthy and continue to stay healthy.

    Pieter

    #18621
    Anh TranAnh Tran
    Keymaster

    Hi Pieter,

    Thanks for your suggestion regarding the docs. I've just updated it here.

    #18627
    hartsook@gmail.com[email protected]
    Participant

    That’s a little more clear, but what’s missing is the screenshot showing how you can apply the sanitize_callback none so easily in a custom field advanced tab UI.

    You say this:

    Bypass The Sanitization

    If you don’t want to sanitize the input value for a specific field (we don’t encourage this, obviously), then simply set the sanitize_callback to none:

    And then you show the resulting code, but you never show where or how you set the sanitize_callback to none!

    For me at least, I had no idea you could do that, and nowhere in the docs that I could find was a suggestion to use the advance tab attributes to do this. Maybe this is obvious to you, but I participate in a weekly WordPress support group that has PHP and JavaScript engineers, WordPress experts, and nobody could figure out how to do it. One of the reasons I use metabox and beaver builder and beaver Thiemer is to avoid hand coding. The actual solution is so simple and elegant, but it is not intuitive.

    Thanks again for making such a great product.

    #18660
    Anh TranAnh Tran
    Keymaster

    Thanks a lot! I added a screenshot on that page, and also on field settings page.

    #18664
    hartsook@gmail.com[email protected]
    Participant

    That’s perfect +1

    I made a blog post about it on my website too

    https://wp-website-coach.com/code-snippet/storing-javascript-in-a-metabox-io-custom-field-textarea/

    #18666
    Anh TranAnh Tran
    Keymaster

    That's awesome! Thanks for sharing with other people!

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.