@nickfmc – thanks for raising this again. It’s certainly a valid and topical point. In essence, EVERYTHING should be escaped on output – as per earlier links in this post.
@elliot as per previous comments, I think it’s really crucial that the documentation is updated to make users aware that data is not escaped automatically (& indeed, couldn’t be, as it will depend on context).
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
2022 was a big year for Advanced Custom Fields, with more capabilities, a new generation of ACF Blocks, a refreshed UI, and a new home. Our year in review post looks at advancements we’ve made and offers a glimpse of the future. https://t.co/HahJUCcyH4