Ok, done some more digging/reading.
The sanitize_meta function I mentioned above simply adds a filter that you can then hook to do custom sanitization. As per the codex function – it doesn’t do any sanitization itself. So that’s kind of irrelevant.
However, further down, the actual DB update is done using $wpdb->update, which does escape the data.
What I’m not entirely sure yet is whether one then needs to do any additional sanitization. Also whether I’m ok to use the_field, get_field etc as-is when outputting data, or whether these need escaping?
This post was helpful: http://wordpress.stackexchange.com/questions/44807/sanitize-vimeo-embed-code
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!