6 Mar

ACF Chat Fridays: ACF 6.2.7 Security Q&A and Upcoming Conditional Logic Enhancements

By Mike Davey

Held every two weeks, ACF Chat Fridays are where WordPress developers and the ACF team come together to learn, share, and explore the possibilities of Advanced Custom Fields.

The March 1st session of ACF Chat Fridays discussed the release of ACF 6.2.7, improvements coming to conditional logic in ACF 6.3, and much more.

Co-hosted by Iain Poulson, Matt Shaw, Liam Gladdy, Anthony Burchell, Phil Johnston, and Brian Hardie.

Sign up for the next session →

ACF Chat Fridays Banner Image.

Session Recording

You can see the entire session in the player below, or catch the highlights in the session summary.

Session Summary

The latest session kicked off with an introduction by Iain Poulson, noting the release of ACF 6.2.7 a few days earlier. This release enables the new the_field escaping behavior described in the release post for ACF 6.2.5](https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/).

ACF 6.2.7 also includes a new filter for use with the ACF shortcode. The filter helps to increase security by limiting the fields the shortcode can access, but we still recommend disabling the shortcode if you’re not using it.

The next major release, ACF 6.3, includes a host of improvements and enhancements for ACF Blocks, including field validation support, the ability to save block data in post meta, and a new feature to help headless builders create frontend components with ACF.

In addition, 6.3 improves how conditional logic shows and hides fields based on taxonomy, user, or post object. This process is not very intuitive currently, as you have to know the ID of the category or term. In ACF 6.3, you’ll be able to see the taxonomy terms, users, etc., that you can select from when you’re building the conditional logic.

During the session, Anthony Burchell gave a demo of the improvements coming to conditional logic. You can jump to that part here.


We’ve included some of the questions and answers from the latest session below. Minor edits have been made for clarity and style.

Q: I use the ACF shortcode with HubSpot forms, but it isn’t working with the 6.2.5 update. How can I make this visible?

A: It’s possible to conditionally disable the new behavior, as long as you trust all your users with the role of contributor or higher. To do this, you would usually place the new code in a customization plugin, or in the functions.php file of a child theme.

Q: I manage a WordPress VIP environment in which we host approximately 25 corporate sites, and some of our agencies use ACF and ACF PRO. WordPress VIP lists some ACF incompatibilities, and I’m just wondering if you have any road map for compatibility with WordPress VIP out of the gate, without the need for workarounds.

A: The good news is the fixes introduced in 6.2.7 solve the biggest problem WordPress VIP had with ACF! They recommend never using the_field and only using get_field when combined with an escaping function. ACF takes care of escaping now, as long as you’re on the right version.

ACF 6.2.7 puts the plugin in a much better place with regards to WordPress VIP’s recommendations. What remains really are just recommendations at this point, like registering fields in PHP and disabling field editing on live sites.

They also note that there are some steps you must take when using fields that interact with images, but this is because the WordPress VIP File System doesn’t create intermediate image sizes as separate files, and is not limited to ACF.

Q: In ACF 6.2.7, fields using Select2 escape HTML from the output. We sometimes need to add HTML markup to these, for example to display icons. Also, the escaping only seems to work with the selected value and doesn’t affect the dropdown if Ajax is enabled.

A: By allowing any HTML, you can get into a situation where a user could maliciously set their username to something that would then be rendered and executed in the browser. It was an XSS vulnerability, so we had to disable HTML in Select2 values by default.

The best way of solving this is to just copy whichever field type you’re using, and create a different version of it that supports the HTML properly. In that, you can initialize the Select2 yourself with your own template that has the markup that is allowed.

Q: Is there a way to manually clear the ACF cache? I’m using a new plugin by WP Connect called Airtable WP Sync Pro+, which is supposed to support all ACF field types. When I run a sync, it updates the ACF Custom Post Type and all the fields, but when I look at the live pages, only the default WordPress fields write to the page. The ACF fields aren’t writing, even though they are written into the template. The WP Connect support folks think it might be that the ACF cache isn’t clearing or updating.

A: ACF doesn’t have a long-term cache, it’s only ever the state of the page. It’s possible that your host might have a cache that we’re compatible with that sits on top, but that’s very specific to different hosts.

It’s also possible that it’s syncing over the values into post meta without using the ACF meta key, which essentially ties a meta value back to the field type. If that doesn’t exist, depending on how your template is outputting the files, it will refuse to display for security purposes. ACF won’t let you access things it doesn’t control, so it’s possible that it’s running into this issue as well. In this case, it’s probably best to contact support so we can look into this a bit deeper.

Q: Regarding the new conditional logic enhancements coming in ACF 6.3, can it be used with the Flexible Content field? For example, could you do something like “If this taxonomy exists, put in an accordion?”

A: Not dynamically, but you could make an accordion that only shows up if a certain condition is met and have essentially the same experience. You can do this in the Layout settings for the Flexible Content field. This allows for very intricate layouts when it comes to showing and hiding content.

We share relevant resources during the call. We’ll sum them up here and try to provide a bit of context:

Coming Up on ACF Chat Fridays

Register today for the next session of ACF Chat Fridays, taking place March 15th, 2024 at 3pm UTC. Questions and suggestions for the development team are always welcome.

What do you think we should cover as we move further into 2024? Let us know on Twitter.

Register for the next session of ACF Chat Fridays here:


The list of upcoming sessions is below.

  • March 15, 2024
  • April 12, 2024
  • April 26, 2024

Tag or DM us on Twitter to let us know you’ll be there. Suggest new topics, let us know what you’d like to see, and send us feedback with #ACFChatFridays on Twitter.

About the Author

For plugin support, please contact our support team directly, as comments aren't actively monitored.