Support

Account

Home Forums Backend Issues (wp-admin) Need Urgent Solution on the new notification after the last update

Solving

Need Urgent Solution on the new notification after the last update

  • Hello,

    After Updating the Plugin to the Lattes Version (6.2.5) I got this notification on the admin dashboard!:

    ACF PRO — ACF will soon escape unsafe HTML that is rendered by the_field(). We’ve detected the output of some of your fields will be modified by this change. Learn how to fix. Hide details

    welcome_block_title (welcome_block_title) – rendered via the_field
    location_link (locations_0_location_link) – rendered via the_sub_field
    title_style_two_short_description (title_style_two_short_description) – rendered via the_field

    Please Advise how to fix it, The “Learn How to fix Link” is too complicated for non-developer persons…. so please can you explain what is this and how to fix it ASAP please!!!!

    The main purpose of using the plugins is to avoid any code developing Process and this plugin is go beyond this! most people do not have experience in coding or amending the theme Code, so could you please advise how to fix this !!

    **Note: the support team keep sharing a general guide requesting to amend the theme files!
    so please so not share these files and give me the steps to solve it ” I mean If a code need to be added what it is? where to add it? which file?”…

    Thanks alot

  • There really is not step-by-step instructions. If you theme was custom coded using ACF you need to search all of the theme files for calls to the_field() and the_sub_field(). If these functions are used and it is on a field where you do not want ACF to remove something then you must replace these function calls with the alternative get_field() and get_sub_field() function calls.

    replace

    
    the_field(...);
    

    with

    
    echo get_field(...);
    

    replace

    
    the_sub_field(...);
    

    with

    
    echo get_sub_field(...);
    
  • We have a different issue, which is even after swapping out the calls, we still have the notification showing up in the admin area.

  • ACF is not checking your templates for the use of specific functions for specific fields.

    ACF is not checking to see if you’re using shortcodes for specific fields.

    ACF has no idea if there is actually a problem or not.

    ACF is simply looking at the content on a given page when you load the admin and comparing the content before and after applying wp_kses() to see if they are different.

    Altering your code on the site will not change the fact that you have content in your database that will be altered by wp_kses().

    The warning is so that you know there is a difference and do something to prevent the altering of your content by wp_kses() before they release the version that will actually alter that content so that you can prevent your site from breaking when that update is released.

  • Thank you for the information. This is immensely helpful to note!

  • @edgewebware && @John Huebner
    can you please advise then what should I do??

    This plugin’s upcoming update is not acceptable at all, the main use of plugins is to get rid of such headaches! … can anybody in brief and clear steps tell me what can I do please ??

    Thank you..

  • Just paste the below code in Theme > functions file.

    add_filter( ‘wp_kses_allowed_html’, ‘acf_add_allowed_iframe_tag’, 10, 2 );
    function acf_add_allowed_iframe_tag( $tags, $context ) {
    if ( $context === ‘acf’ ) {
    $tags[‘iframe’] = array(
    ‘src’ => true,
    ‘height’ => true,
    ‘width’ => true,
    ‘frameborder’ => true,
    ‘allowfullscreen’ => true,
    );
    }

    return $tags;
    }

    https://www.advancedcustomfields.com/resources/html-escaping/#customization

  • Thank you for your reply, but will this solve all the above notifications??
    or only the iframe?

    as I am getting these notifications in the admin dashboard:

    ACF PRO — ACF will soon escape unsafe HTML that is rendered by the_field(). We’ve detected the output of some of your fields will be modified by this change. Learn how to fix. Hide details

    – welcome_block_title (welcome_block_title) – rendered via the_field

    – designation (designation) – rendered via the_field

    – gans_tab_content_content_list_item (gans_tab_2_gans_tab_content_content_list_items_10_gans_tab_content_content_list_item) – rendered via the_sub_field

    – title_style_two_short_description (title_style_two_short_description) – rendered via the_field

    – location_link (locations_0_location_link) – rendered via the_sub_field

    – category_course_name (course_category_1_category_courses_10_category_course_name) – rendered via the_sub_field

    and so on, each time I refresh the page the a new iteams added to the list above…

    please advise if the code snippet that you mentioned will solve all of this?

    Thank you.

  • It would be very helpful if the notice in the backend disappeared once the code was adapted accordingly. After all, passages that caused the hint were found in the edition.

    I no longer have the output of the_field() in all files in the theme and the notice still appears.

    And the fields mentioned in the note were previously output using the_field().

  • AGREE Thomas – It would be very helpful if the notice in the backend disappeared once the code was fixed!

  • 100% agree with Thomas.
    My code has no the_field anymore but I still this acf msg

    field_name rendered via the_field

    Why I see it? It’s 100% wrong.

  • Thank you for clarifying.

    ACF is not checking your templates for the use of specific functions for specific fields.

    ACF is not checking to see if you’re using shortcodes for specific fields.

    ACF has no idea if there is actually a problem or not.

    ACF is simply looking at the content on a given page when you load the admin and comparing the content before and after applying wp_kses() to see if they are different.

    Altering your code on the site will not change the fact that you have content in your database that will be altered by wp_kses().

    The warning is so that you know there is a difference and do something to prevent the altering of your content by wp_kses() before they release the version that will actually alter that content so that you can prevent your site from breaking when that update is released.

    I found the confusion in the verbiage of the warnings:

    When I see a warning
    “footer_code (Footer Code) – rendered via the_field” (this may not be true)
    COULD READ MORE ACCURATELY (for all cases)
    “footer_code (Footer Code) – this is a notice for unfiltered HMTL, please check render/display method” (something that is always true)
    (I used the words notice & unfiltered because notice doesn’t sound like a big deal and unfiltered sounds better than unsafe – for the sites where a client has elevated access, warnings and unsafe will scare them)

    Maybe I don’t understand wp_kses – can you please explain for dummies like me. I assume it is the filter function and it works on the output side of the data.

    Unfiltered/unsafe HTML is not being stripped when I save or view. (thank goodness) So in the database all my unsafe code is stored safely because my entire <script> is still visible on the backend – So I have have to assume it gets stripped on the output side of wp_kses (if that is a thing – input/output).

    ACF ONLY KNOWS that I have unsafe/unfiltered code in a field that will output in stripped manner if not corrected.

    Can someone elaborate or poke holes in my thought process?

    To Add switch to theme options to enable/disable warning:
    – create a Button Group Field in an options page
    – filed name = acfwarning_enabledisable
    – Choices:
    – – enabled : Hide Warning
    – – disabled : Display Warning

    Add to a functions file:

    // ACF warning enable disable filter
    // https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/
     $acfwarning_enable_disable = get_field('acfwarning_enabledisable','option'); 
          if( $acfwarning_enable_disable == 'enable' ) {
    
    add_filter( 'acf/admin/prevent_escaped_html_notice', '__return_true' );
    } // end if enabledisable

    This function had to fire early and didn’t work when wrapped in if ACF class exists check – I try to check if ACF exists before running ACF functions – however the warning enable/disable didn’t work when wrapped with:

    if(class_exists('ACF')){
        // ACF functions go here
    } // close if ACF
  • Ignore my post above about the “warning” section.

    I have done a lot of writing and fixing site errors after updates and have a much better understanding.

    The warning displays after a field has its code altered. You can close the warning in the backend and it will NOT appear again until the frontend of the website is visited on a page that has the offending field which then re-triggers the warning.

    You must know what page each of the warnings is on.

    make your code changes,
    close the warning in the WP dashboard
    reload the page on the frontend that had the field with the code stripped (if you fixed it, all should display properly)
    Reload the dashboard and that warning should be removed from the warning list or not display at all if that was your only warning.

    So removing or hiding the warning (at least for admins) is not a good idea and my code above is not recommended.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.