Hello @dmnvrse
Hope you are well and safe.
We don’t allow adding and running scripts in HTML field because of security reasons, the onclick easily can be used for XSS attacks so I wouldn’t suggest using it.
Its possible to change that behavior using the “wp_kses_allowed_html” hook that we are using for filtering the HTML input but I’m afraid I can’t provide you any custom code because it is out of scope of our support.
The event listener should work you can target the form ID + your field class or add a specific ID for your custom HTML code, I may be able help further if you share an example code.
Kind Regards
Amin
I was using event listener initially and it doesn’t work due to the HTML div keep changing when there is changes on other field, validation etc.
I’m targeting specific form ID + field class. the same script targeting button outside form was fine. but not the button created using HTML field. that’s why i thought of using onclick as last resort.
onclick might not be the best but i guess adding CSP header will make it safe? I’m not sure as I’m new in web development.
Hello @dmnvrse
I consulted with our developers about your issue, I’m afraid you can’t run a function like this onclick=”myFunction() as I mentioned due to security reasons we have disabled it on form fields.
but you can do something like as an event listener:
document.getElementById('myBtn').onclick = myFunction;
So when the user clicks on your button with myBtn ID, it will trigger another Javascript function and eventually run your code, since custom is out of scope I can’t provide an example. If you need further assistance, you’ll need to hire a developer to provide the required custom code for you. WordPress provides a jobs directory here https://jobs.wordpress.net/, if you need further advice about it, feel free to email [email protected].
Subject: ATTN: WPMU DEV support – wp.org
Kind Regards
Amin
Thank you for keeping the plugin/web safe! a big lesson learned on XSS attack. i’ll close this.
