When building multisite using wordpress, its important to make sure you need javasript or not. For example, because i am working at university, my partner told me that we must not allow user to add javascript especially in text widget. we afraid that user add some ads using javasript in text widget or embed video in it. To minimalize that, i think to remove javascript tags if user input in input field.
Here’s a simple way to removing JavaScript tags from input fields:
Say we are working with text widget and user input text like that:
<script type="text/javascript">alert('Hello world!');</script><strong>hi all, my name is dhieka</strong><p>nice to meet you</p>
And we want the result like this:
</script><strong>hi all, my name is dhieka</strong><p>nice to meet you</p>
Simple regular expression will allow you to parse out the script tags (and it accounts for new lines, too):
preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $input );
and if user want to embed video:
preg_replace( '/<iframe\b[^>]*>(.*?)<\/iframe>/is', '', $input );
then you must open defaults-widget.php in wp-include -> defaults-widget.php. search phrase like :
class WP_Widget_Text extends WP_Widget { function __construct() { .... } function widget( $args, $instance ) { ... } /*** replace with this ******/ function update( $new_instance, $old_instance ) { $instance = $old_instance; $instance['title'] = strip_tags($new_instance['title']); if ( current_user_can('unfiltered_html') ) { $instance1['text'] = preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is','', $new_instance['text'] ); $instance['text'] = preg_replace( '/<iframe\b[^>]*>(.*?)<\/iframe>/is','', $instance1['text'] ); } else $instance['text'] = stripslashes(wp_filter_post_kses(addslashes ($new_instance['text']) ) ); $instance['filter'] = isset($new_instance['filter']); return $instance; } }
thank you for reading my blog..
Lets weblog-ing with me ~~
Kamsahamnida