Thanks. I have done some initial testing.
If one has a front end form with text field, a malicious user could potentially input
<script>alert('You've been hacked');</script> and if
echo get_field or
the_field is used to output that field, the script will then run.
As far as I understand it, one would therefore use
echo esc_html (get_field(..)); to escape the data on output (or esc_attr, esc_url, etc as appropriate)
I think this needs highlighting right at the top of your Front End form ‘how-to’!
What I have yet to establish is whether any additional sanitization needs to be done before the data is input to the database. According to http://codex.wordpress.org/Class_Reference/wpdb#UPDATE_rows, $wpdb->update takes raw input values (they should not be SQL escaped) – so perhaps that’s enough?
The only thing that bothers me is that potentially one could then still end up with malicious js script in the db – maybe the answer is to use esc_html on input to db as well as output.
Any further thoughts welcome…
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!