Fixed: Fix it: ACF will soon escape unsafe HTML that is rendered by the_field()
If you’re using ACF pro then you’ve likely seen the latest warning in your WP dashboard that says “ACF will.
Fixed: Fix it: ACF will soon escape unsafe HTML that is rendered by the_field()
Posted on
If you’re using ACF pro then you’ve likely seen the latest warning in your WP dashboard that says “ACF will soon escape unsafe HTML that is rendered by the_field().If you click on learn more, you can read the article here which outlines how to fix it. Some of this article has direct references to the original article from ACF.
Here’s what the warning looks like, for reference:
Since this release can cause breaking changes, and this site is a production site, we agreed to fix it. The article gives you a number of options such as:
Using ACF securely.
I went with this option for this website, and changed all the fields from:
<?php the_field(‘general_text_container’); ?> (the_field is being called directly)
to:
<?php echo wp_kses_post( get_field(‘general_text_container’) );?> (field is now escaping unsafe HTML)
Removing the notice
I super don’t recommend this one, as all it does is remove the warning, and not actually fix the problem. It’s like when Homer Simpson covered the ‘check engine’ warning on his car with duct tape 🙂
But if you choose to go with this option, you can add this to your functions.php file:
add_filter( 'acf/admin/prevent_escaped_html_notice', '__return_true' );
I don’t recommend this option either, especially for a site with lot’s of users and logins but here’s how you can conditionally allow unsafe HTML.
If you trust your users with the role of contributor or higher, it is possible to use one of two new filters to disable this automatic escaping by returning true. You should limit the filter to specific field keys using the additional parameters available.
acf/shortcode/allow_unsafe_htmlwill disable the escaping for the shortcode.acf/the_field/allow_unsafe_htmlwill disable the escaping when usingthe_field.
The filters provide different arguments should you wish to allow unsafe HTML for a specific field type, on a specific page, or for a specific field name or key.
The shortcode filter provides you the field type and the full attributes array passed into the shortcode, along with the full field object if available:
apply_filters( 'acf/shortcode/allow_unsafe_html', false, $attributes, $field_type, $field_object )For example, if you’re using to output an iframe, you could use the following code to allow that field to output potentially unsafe HTML (the iframe)
add_filter( 'acf/shortcode/allow_unsafe_html', function ( $allowed, $atts ) {
if ( $atts['field'] === 'podcast_iframe' ) {
return true;
}
return $allowed;
}, 10, 2 );The filter for the_field() (and the_sub_field()) provides you with the field selector provided to the output function, the post ID (if provided), and the field type. It also provides you the field object which will contain the field key (but may be false if ACF wasn’t able to find the field reference).
apply_filters( 'acf/the_field/allow_unsafe_html', false, $selector, $post_id, $field_type, $field_object )For example, If you’ve got a field called google_maps_iframe which contains an iframe of a google map, the follow code would allow it to still be output by the_field:
add_filter( 'acf/the_field/allow_unsafe_html', function( $allowed, $selector ) {
if ( $selector === "google_maps_iframe" ) {
return true;
}
return $allowed;
}, 10, 2);Enable the new behaviour early
I also opted in for this, so all stripping of unsafe HTML is immediately implemented and an error report is given if it happens again. You can add this to your functions.php file.
add_filter( 'acf/the_field/escape_html_optin', '__return_true' ); Alpha Omega Digital is a WordPress agency based in Melbourne, Australia but also services clients from Sydney, Brisbane, Newcastle, Perth, Adelaide, Darwin and Hobart. Have a project in mind? Contact me here.