How to use ACF securely

As a developer with ACF, we’re aware you may have a use case of storing HTML which needs to be output in an unsafe manner, such as using a Text Area field to store the full tags which should be output to allow your users to edit this.

Field type changes

As part of these changes, we’ve also introduced some changes across ACF to enable developers to allow HTML where they need to.

In the case of the WYSIWYG field, this means the field will escape HTML before it runs filters which handle embedding. For more information on the changes to field types which may affect third-party fields, please see our documentation for creating a field type.

Detection and notice information

Whenever we detect that escaping the field value has modified the output value, ACF will log data about the affected function call.

Admin users have the ability to dismiss the message, which will also clear the log. Dismissing the notice after you’ve made fixes will allow you to verify you’ve fixed every instance, as the message will not return after the affected pages have been loaded.