Advanced Custom Fields version 6.2.6 is now available.
We’ve also released ACF 6.2.6.1 which resolves an issue with editing fields in the classic editor when Yoast is installed.
This release contains several bug fixes and improvements, including a new way to return an escaped value from get_field()
and related functions.
👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
Easier Escaping for get_field() and Related Functions
In previous versions of ACF we’ve recommended using the WordPress core escaping functions for escaping data that will be output to your theme or plugin using get_field()
or similar get_
functions. That could look something like the following:
$value = get_field( 'text_field' );
if ( $value ) {
echo wp_kses_post( $value );
}
Ahead of 6.2.7’s upcoming changes later this month to enable escaping automatically in the_field
and the_sub_field
, in ACF and ACF PRO 6.2.6, we’ve added a new optional $escape_html
parameter to get_field()
and similar functions that can be used to return the ACF escaped value:
get_field( $selector, $post_id = false, $format_value = false, $escape_html = false );
This optional parameter is set to false
by default, which means that any existing code using get_field()
or similar get_
functions will be unaffected by this change. Additionally, it requires that the $format_value
parameter is set to true
, otherwise an incorrect usage notice will be thrown and the field value will not be returned.
Using this parameter, rather than escaping the value yourself, allows field type specific escaping to take place. For example, the WYSIWYG field performs its escaping before shortcodes and other the_content
filters are applied, meaning shortcodes which generate iframes or script tags aren’t removed.
Here’s how the example above could look with the new parameter:
// Passing true
as the fourth parameter will apply wp_kses() with the acf
context.
$value = get_field( 'text_field', $post_id, true, true );
if ( $value ) {
echo $value; // XSS ok.
}
For most field types, the value will be passed through wp_kses()
with the acf
context, which allows for filtering the allowed HTML as shown in our HTML Escaping doc. Some field types, such as the WYSIWYG field and the oEmbed field, have their own escaping methods and will apply those automatically.
The optional $escape_html
parameter has been added to the following functions:
- get_field()
- get_fields()
- get_field_object()
- get_field_objects()
- get_sub_field()
- get_sub_field_object()
6.2.6.1 Changelog
- Fix – Fatal JS error no longer occurs when editing fields in the classic editor when Yoast or other plugins which load block editor components are installed
- Fix – Using
$escape_html
on get functions for array returning field types no longer produces an Array to string conversion error
6.2.6 Changelog
- Enhancement – The
get_field()
and otherget_
functions now support anescape_html
parameter which return an HTML safe field value - Enhancement – The URL field will be now escaped with
esc_url
rather thanwp_kses_post
when returning an HTML safe value - Fix – ACF fields will now correctly save into the WordPress created revision resolving issues with previews of drafts on WordPress 6.4 or newer.
- Fix – Multisite subsites will now correctly be activated by the main site where the ACF PRO license allows, hiding the updates page on those subsites
- Fix – Field types in which the
required
property would have no effect (such as the tab, or accordion) will no longer show the option - Fix – Duplicating a field group now maintains the current page of field groups being displayed
- Fix – Fields in ACF Blocks in edit mode in hybrid themes will now use ACF’s styling, rather than some attributes being overridden by the theme
- Fix – Text in some admin notices will no longer overlap the dismiss button
- Fix – The word
link
is now prohibited from being used as a CPT name to avoid a WordPress core conflict - Fix – Flexible content layouts can no longer be duplicated over their maximum count limit
- Fix – All ACF notifications shown outside of ACF’s admin screens are now prefixed with the plugin name
- Fix – ACF no longer checks if a polyfill is needed for <PHP7 and the polyfill has been removed.