When building custom functionality into WordPress, it’s important to make sure that you’re properly sanitizing data. WordPress provides an array of utility functions for doing this.
But there are times when completely sanitizing the input may be too much. For example, say you’re working on a widget that has a text field and you’re comfortable with allowing the user to input styles and markup but want to remove any JavaScript. Using strip_tags and strip_slashes is overkill, obviously. These would reduce the input into nothing but the raw text.
Here’s a simple way to removing JavaScript tags from input fields while still supporting inline CSS and HTML markup: