When you’re creating a WordPress SaaS you might want to allow your users the use of a page builder such as Beaver Builder.

However, this opens up a potentially dangerous hole because users can now enter JS code to be rendered on the front-end.  A malicious user can add booby-trapped code so that when you navigate to the site, that code executes on your computer.

Any plugin where you allow the user access needs to be reviewed for this type of dangerous input.

With Beaver Builder you can remove these inputs (yet another reason why we prefer it for SaaS projects over something like Elementor).

To remove the CODE tab from the customizer, you need to add the following code to your template site custom plugin:

function remove_fl_code( $wp_customize ) {
     $wp_customize->remove_panel( 'fl-code' );
}
add_action( 'customize_register', 'remove_fl_code', 11 );

If you’re using a class, the add_action function call will change slightly to include the use of array() when referencing the hooked function.

Each Beaver Builder module also includes an option to set JS code so you’ll need to remove that as well:

add_filter("fl_builder_main_menu", function ($views) {
     unset( $views['main']['items'][50] ); //Layout CSS & Javascript
     unset( $views['main']['items'][60] ); //Global Settings
     return $views;
});

If you’re using a class, the add_filter function call will change slightly to include the use of array() when referencing the hooked function.

Share: