When building custom functionality into WordPress, it’s important to make sure that you’re properly sanitizing data. WordPress provides an array of utility functions for doing this.
Say we’re working with a widget and the user wants to provide text that looks like this:
And we want the end result to look like this:
<strong>Hi There!</strong><p>My name is Tom.</p>
A simple regular expression will allow you to parse out the script tags (and it accounts for new lines, too):
preg_replace( '/<scriptb*>(.*?)</script>/is', '', $input );
Practically speaking, here’s a gist of what the update function may look like:
A word of caution: This way is suitable for smaller cases, but I don’t recommend this for trying to sanitize data for larger fields or larger systems.