6 Feb

ACF 6.2.6

By Matt Shaw

Advanced Custom Fields version 6.2.6 is now available.

We’ve also released ACF which resolves an issue with editing fields in the classic editor when Yoast is installed.

This release contains several bug fixes and improvements, including a new way to return an escaped value from get_field() and related functions.

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

Easier Escaping for get_field() and Related Functions

In previous versions of ACF we’ve recommended using the WordPress core escaping functions for escaping data that will be output to your theme or plugin using get_field() or similar get_ functions. That could look something like the following:

$value = get_field( 'text_field' );

if ( $value ) {
    echo wp_kses_post( $value );

Ahead of 6.2.7’s upcoming changes later this month to enable escaping automatically in the_field and the_sub_field, in ACF and ACF PRO 6.2.6, we’ve added a new optional $escape_html parameter to get_field() and similar functions that can be used to return the ACF escaped value:

get_field( $selector, $post_id = false, $format_value = false, $escape_html = false );

This optional parameter is set to false by default, which means that any existing code using get_field() or similar get_ functions will be unaffected by this change. Additionally, it requires that the $format_value parameter is set to true, otherwise an incorrect usage notice will be thrown and the field value will not be returned.

Using this parameter, rather than escaping the value yourself, allows field type specific escaping to take place. For example, the WYSIWYG field performs its escaping before shortcodes and other the_content filters are applied, meaning shortcodes which generate iframes or script tags aren’t removed.

Here’s how the example above could look with the new parameter:

// Passing true as the fourth parameter will apply wp_kses() with the acf context.
$value = get_field( 'text_field', $post_id, true, true );

if ( $value ) {
    echo $value; // XSS ok.

For most field types, the value will be passed through wp_kses() with the acf context, which allows for filtering the allowed HTML as shown in our HTML Escaping doc. Some field types, such as the WYSIWYG field and the oEmbed field, have their own escaping methods and will apply those automatically.

The optional $escape_html parameter has been added to the following functions: Changelog

  • Fix – Fatal JS error no longer occurs when editing fields in the classic editor when Yoast or other plugins which load block editor components are installed
  • Fix – Using $escape_html on get functions for array returning field types no longer produces an Array to string conversion error

6.2.6 Changelog

  • Enhancement – The get_field() and other get_ functions now support an escape_html parameter which return an HTML safe field value
  • Enhancement – The URL field will be now escaped with esc_url rather than wp_kses_post when returning an HTML safe value
  • Fix – ACF fields will now correctly save into the WordPress created revision resolving issues with previews of drafts on WordPress 6.4 or newer.
  • Fix – Multisite subsites will now correctly be activated by the main site where the ACF PRO license allows, hiding the updates page on those subsites
  • Fix – Field types in which the required property would have no effect (such as the tab, or accordion) will no longer show the option
  • Fix – Duplicating a field group now maintains the current page of field groups being displayed
  • Fix – Fields in ACF Blocks in edit mode in hybrid themes will now use ACF’s styling, rather than some attributes being overridden by the theme
  • Fix – Text in some admin notices will no longer overlap the dismiss button
  • Fix – The word link is now prohibited from being used as a CPT name to avoid a WordPress core conflict
  • Fix – Flexible content layouts can no longer be duplicated over their maximum count limit
  • Fix – All ACF notifications shown outside of ACF’s admin screens are now prefixed with the plugin name
  • Fix – ACF no longer checks if a polyfill is needed for <PHP7 and the polyfill has been removed.

About the Author

For plugin support, please contact our support team directly, as comments aren't actively monitored.

  • Johan says:

    I implore you to not release the unsafe HTML in just a "patch", 6.2.7. This is a form of breaking change so you should release it at least as a "minor" update, 6.3.0. A lot of sites with auto-updating "patches" will break. Developers are ready, but a lot of site-owners have no idea what this change means.

    Best regards, Johan