Thank you for clarifying.
ACF is not checking your templates for the use of specific functions for specific fields.
ACF is not checking to see if you’re using shortcodes for specific fields.
ACF has no idea if there is actually a problem or not.
ACF is simply looking at the content on a given page when you load the admin and comparing the content before and after applying wp_kses() to see if they are different.
Altering your code on the site will not change the fact that you have content in your database that will be altered by wp_kses().
The warning is so that you know there is a difference and do something to prevent the altering of your content by wp_kses() before they release the version that will actually alter that content so that you can prevent your site from breaking when that update is released.
I found the confusion in the verbiage of the warnings:
When I see a warning
“footer_code (Footer Code) – rendered via the_field” (this may not be true)
COULD READ MORE ACCURATELY (for all cases)
“footer_code (Footer Code) – this is a notice for unfiltered HMTL, please check render/display method” (something that is always true)
(I used the words notice & unfiltered because notice doesn’t sound like a big deal and unfiltered sounds better than unsafe – for the sites where a client has elevated access, warnings and unsafe will scare them)
Maybe I don’t understand wp_kses – can you please explain for dummies like me. I assume it is the filter function and it works on the output side of the data.
Unfiltered/unsafe HTML is not being stripped when I save or view. (thank goodness) So in the database all my unsafe code is stored safely because my entire <script> is still visible on the backend – So I have have to assume it gets stripped on the output side of wp_kses (if that is a thing – input/output).
ACF ONLY KNOWS that I have unsafe/unfiltered code in a field that will output in stripped manner if not corrected.
Can someone elaborate or poke holes in my thought process?
To Add switch to theme options to enable/disable warning:
– create a Button Group Field in an options page
– filed name = acfwarning_enabledisable
– Choices:
– – enabled : Hide Warning
– – disabled : Display Warning
Add to a functions file:
// ACF warning enable disable filter
// https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/
$acfwarning_enable_disable = get_field('acfwarning_enabledisable','option');
if( $acfwarning_enable_disable == 'enable' ) {
add_filter( 'acf/admin/prevent_escaped_html_notice', '__return_true' );
} // end if enabledisable
This function had to fire early and didn’t work when wrapped in if ACF class exists check – I try to check if ACF exists before running ACF functions – however the warning enable/disable didn’t work when wrapped with:
if(class_exists('ACF')){
// ACF functions go here
} // close if ACF
