I have a scenario in which we have defined valid and invalid elements in Tinymce. Below are the values of these two:
invalid_elements: 'script',
valid_elements: '*[*]',
"invalid_elements" is to prevent JavaScript to be entered. With above settings, Tinymce is not preventing JavaScript but if I remove "valid_elements" then it starts working.
I am not sure if I remove "valid_elements" still Tinymce will allow everything and that's why keeping "valid_element".
Tinymce version: 5.6.2
Related question but not helping in my scenario: Disable Javascript in TinyMCE
Working Fiddle: https://fiddle.tiny.cloud/WRhaab/2
Is there any way by which I can keep "valid_elements" and prevent JavaScript as well?
valid_elements and invalid_elements are not exclusive options. They can work together but can't contradict each other.
When you are setting valid_elements to '*[*]', it means all elements are allowed. If all elements are valid, scripts are valid too. That's why if you remove the valid_elements option, invalid_elements starts working.
If you are not sure some elements would stay valid if valid_elements: '*[*]' is removed, you can check HTML 5 and HTML 4 specifications since by default TinyMCE allows all elements specified by these standards. You can use the schema option to switch between different standards.