I have a textarea that will receive a js snippet(Google Analytics). Is there a way to sanitize that? Since I cannot use functions like wp_filter_nohtml_kse(), what should I use?
According to this Google help page, here is the current Analytics tracking code:
The ‘UA-XXXXX-Y’ is the Property ID. It looks like the first two characters are always ‘UA’. ‘XXXXX’ represents some number of numeric digits (not necessarily five digits, since one of the Property IDs for my sites has eight digits). ‘Y’ is an integer that might have more than one digit.
One way you could validate the Property ID would be with a regular expression, like this:
This will return 1 if $input is a valid Property ID format, and false if it is not.
preg_match( '/\A<script((?!<[a-zA-Z])[\s\S])*</script>\Z/', trim($input) );
The other thing I would do is make sure that only an administrator can set this option, and if he or she sneaks some HTML into there and breaks their own website, it’s their own fault. Of course, if this is going into the database, make sure it is sanitized for SQL.