Advanced Custom Fields version 6.2.6 is now available.
We’ve also released ACF 6.2.6.1 which resolves an issue with editing fields in the classic editor when Yoast is installed.
This release contains several bug fixes and improvements, including a new way to return an escaped value from get_field() and related functions.
👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
Easier Escaping for get_field() and Related Functions
In previous versions of ACF we’ve recommended using the WordPress core escaping functions for escaping data that will be output to your theme or plugin using get_field() or similar get_ functions. That could look something like the following:
$value = get_field( 'text_field' );
if ( $value ) {
echo wp_kses_post( $value );
}
Ahead of 6.2.7’s upcoming changes later this month to enable escaping automatically in the_field and the_sub_field, in ACF and ACF PRO 6.2.6, we’ve added a new optional $escape_html parameter to get_field() and similar functions that can be used to return the ACF escaped value:
get_field( $selector, $post_id = false, $format_value = false, $escape_html = false );
This optional parameter is set to false by default, which means that any existing code using get_field() or similar get_ functions will be unaffected by this change. Additionally, it requires that the $format_value parameter is set to true, otherwise an incorrect usage notice will be thrown and the field value will not be returned.
Using this parameter, rather than escaping the value yourself, allows field type specific escaping to take place. For example, the WYSIWYG field performs its escaping before shortcodes and other the_content filters are applied, meaning shortcodes which generate iframes or script tags aren’t removed.
Here’s how the example above could look with the new parameter:
// Passing true as the fourth parameter will apply wp_kses() with the acf context.
$value = get_field( 'text_field', $post_id, true, true );
if ( $value ) {
echo $value; // XSS ok.
}
For most field types, the value will be passed through wp_kses() with the acf context, which allows for filtering the allowed HTML as shown in our HTML Escaping doc. Some field types, such as the WYSIWYG field and the oEmbed field, have their own escaping methods and will apply those automatically.
The optional $escape_html parameter has been added to the following functions:
- get_field()
- get_fields()
- get_field_object()
- get_field_objects()
- get_sub_field()
- get_sub_field_object()
6.2.6.1 Changelog
- Fix – Fatal JS error no longer occurs when editing fields in the classic editor when Yoast or other plugins which load block editor components are installed
- Fix – Using
$escape_htmlon get functions for array returning field types no longer produces an Array to string conversion error
6.2.6 Changelog
- Enhancement – The
get_field()and otherget_functions now support anescape_htmlparameter which return an HTML safe field value - Enhancement – The URL field will be now escaped with
esc_urlrather thanwp_kses_postwhen returning an HTML safe value - Fix – ACF fields will now correctly save into the WordPress created revision resolving issues with previews of drafts on WordPress 6.4 or newer.
- Fix – Multisite subsites will now correctly be activated by the main site where the ACF PRO license allows, hiding the updates page on those subsites
- Fix – Field types in which the
requiredproperty would have no effect (such as the tab, or accordion) will no longer show the option - Fix – Duplicating a field group now maintains the current page of field groups being displayed
- Fix – Fields in ACF Blocks in edit mode in hybrid themes will now use ACF’s styling, rather than some attributes being overridden by the theme
- Fix – Text in some admin notices will no longer overlap the dismiss button
- Fix – The word
linkis now prohibited from being used as a CPT name to avoid a WordPress core conflict - Fix – Flexible content layouts can no longer be duplicated over their maximum count limit
- Fix – All ACF notifications shown outside of ACF’s admin screens are now prefixed with the plugin name
- Fix – ACF no longer checks if a polyfill is needed for <PHP7 and the polyfill has been removed.
About the Author
Matt is a WordPress plugin developer located near Philadelphia, PA. He loves to create awesome new tools with PHP, JavaScript, and whatever else he happens to get his hands on.
