Home › Forums › General Issues › Question about updates coming in 6.2.7 › Reply To: Question about updates coming in 6.2.7
Sorry to hijack this post, but I didn’t want to start yet another on the subject.
I have several sites that will be affected by this update and I am trying to find a concise and absolute answer to my question.
I’ve read the ACF 6.2.5 Security Release post several times and a lot of the comments and replies, most of which seem very ambigious, and I’m still not 100% sure I fully understand how to fix the incoming issues. So I’m hoping if I ask a concise and speficic question, I might get a concise answer.
On the majority of the sites my ACF data is called using echo get_field()
, echo get_sub_field()
, or more recently storing get_field()
as a variable and then accessing the data via the variable, eg. echo $variable_name['field_name'];
.
There are several instances where <iframe>
or <script>
tags are present on these sites, eg. third-party CRM integrations, Google Analytics, etc. Obviously I need these to continue working as they do at present.
There area a few unique places where I have used the_field()
or the_sub_field()
to output some <iframe>
or <script>
tags, most commonly this is used to output Google Analytics code in the <head>
.
My question is, do I simply need to change any instance of the_field()
and the_sub_field()
to echo get_field()
and echo get_sub_field()
? Or is there more I need to do?
I initally thought that was the case after reading:
…if you’re confident you can trust every user registered on your site with contributor or higher access—we recommend you use
echo get_field()
to output this unsafe HTML to ensure it’s not filtered.
But I have since seen some replies in the comments and this week’s Chat Friday Q&A that have made me question what I thought was a simple change, like:
Q: Does the escaping only happen if we use the ACF shortcode, but not if we use something like the_field or get_field?
A:: In 6.2.5, this only happens for the ACF shortcode, but in a future release (likely 6.2.7), it will also happen when using the_field or get_field. However, ACF 6.2.5 displays a warning when the_field or get_field are being used in a way that could output unsafe HTML. The warning message is included to give you a chance to get ahead of this change.
The mention of get_field()
being problematic in the future was not something I’d seen until then.
Would anyone care to clarify?
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Privacy Policy. If you continue to use this site, you consent to our use of cookies.