Support

Account

Home Forums General Issues Question about updates coming in 6.2.7 Reply To: Question about updates coming in 6.2.7

  • Sorry to hijack this post, but I didn’t want to start yet another on the subject.

    I have several sites that will be affected by this update and I am trying to find a concise and absolute answer to my question.

    I’ve read the ACF 6.2.5 Security Release post several times and a lot of the comments and replies, most of which seem very ambigious, and I’m still not 100% sure I fully understand how to fix the incoming issues. So I’m hoping if I ask a concise and speficic question, I might get a concise answer.

    On the majority of the sites my ACF data is called using echo get_field(), echo get_sub_field(), or more recently storing get_field() as a variable and then accessing the data via the variable, eg. echo $variable_name['field_name'];.

    There are several instances where <iframe> or <script> tags are present on these sites, eg. third-party CRM integrations, Google Analytics, etc. Obviously I need these to continue working as they do at present.

    There area a few unique places where I have used the_field() or the_sub_field() to output some <iframe> or <script> tags, most commonly this is used to output Google Analytics code in the <head>.

    My question is, do I simply need to change any instance of the_field() and the_sub_field() to echo get_field() and echo get_sub_field()? Or is there more I need to do?

    I initally thought that was the case after reading:

    …if you’re confident you can trust every user registered on your site with contributor or higher access—we recommend you use echo get_field() to output this unsafe HTML to ensure it’s not filtered.

    But I have since seen some replies in the comments and this week’s Chat Friday Q&A that have made me question what I thought was a simple change, like:

    Q: Does the escaping only happen if we use the ACF shortcode, but not if we use something like the_field or get_field?

    A:: In 6.2.5, this only happens for the ACF shortcode, but in a future release (likely 6.2.7), it will also happen when using the_field or get_field. However, ACF 6.2.5 displays a warning when the_field or get_field are being used in a way that could output unsafe HTML. The warning message is included to give you a chance to get ahead of this change.

    The mention of get_field() being problematic in the future was not something I’d seen until then.

    Would anyone care to clarify?