Learning resources, community, professional support & expert help.

How to use ACF securely

As a developer with ACF, we’re aware you may have a use case of storing HTML which needs to be output in an unsafe manner, such as using a Text Area field to store the full tags which should be output to allow your users to edit this.

Field type changes

As part of these changes, we’ve also introduced some changes across ACF to enable developers to allow HTML where they need to.

In the case of the WYSIWYG field, this means the field will escape HTML before it runs filters which handle embedding. For more information on the changes to field types which may affect third-party fields, please see our documentation for creating a field type.

Detection and notice information

Whenever we detect that escaping the field value has modified the output value, ACF will log data about the affected function call.

Admin users have the ability to dismiss the message, which will also clear the log. Dismissing the notice after you’ve made fixes will allow you to verify you’ve fixed every instance, as the message will not return after the affected pages have been loaded.

There isn’t a plugin for the package you want to use.
The plugin is out of date and doesn’t support the underlying package properly.
The plugin doesn’t support a feature you’d like to use for the underlying package.
The plugin documentation is lacking or unclear.
The plugin doesn’t handle errors well.

Since most packages usually have a CLI, a simple solution to these problems would be to remove the (sometimes complex) abstraction of build tools altogether and run the underlying packages manually on the command line. This is a great solution, but how are you going to remember all of those CLI commands and their options? And how are you going to chain them together? Wouldn’t it be nice if you could just run a single CLI command and have them all run in the right order, and at the same time?