Skip to content

Instantly share code, notes, and snippets.

@pbrocks
Forked from tomjn/securing-acf.php
Created July 12, 2022 13:38
Show Gist options
  • Save pbrocks/aeddca52447d42fe0034ff8e508ca23d to your computer and use it in GitHub Desktop.
Save pbrocks/aeddca52447d42fe0034ff8e508ca23d to your computer and use it in GitHub Desktop.
ACF's `the_field` function is insecure by default, here's a selection of wrappers that fix that
<?php
function the_field_url( $selector, $post_id=0, $format_value=true ) {
echo esc_url( get_field( $selector, $post_id, $format_value ) );
}
function the_field_url_raw( $selector, $post_id=0, $format_value=true ) {
echo esc_url_raw( get_field( $selector, $post_id, $format_value ) );
}
function the_field_attr( $selector, $post_id=0, $format_value=true ) {
echo esc_attr( get_field( $selector, $post_id, $format_value ) );
}
function the_field_js( $selector, $post_id=0, $format_value=true ) {
echo esc_js( get_field( $selector, $post_id, $format_value ) );
}
function the_field_html( $selector, $post_id=0, $format_value=true ) {
echo esc_html( get_field( $selector, $post_id, $format_value ) );
}
function the_field_kses_post( $selector, $post_id=0, $format_value=true ) {
echo wp_kses_post( get_field( $selector, $post_id, $format_value ) );
}
function the_field_kses( $selector, $post_id=0, $format_value=true, $allowed_html ) {
echo wp_kses( get_field( $selector, $post_id, $format_value ), $allowed_html );
}
function the_field_json_encode( $selector, $post_id=0, $format_value=true ) {
echo wp_json_encode( get_field( $selector, $post_id, $format_value ) );
}
function the_field_textarea( $selector, $post_id=0, $format_value=true ) {
echo esc_textarea( get_field( $selector, $post_id, $format_value ) );
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment