How to fix: ACF now automatically escapes unsafe HTML when rendered by the_field or the ACF shortcode

Escaping the Maze: Mastering ACF’s New HTML Escape Mechanics 🚀

Hello, fellow WordPress aficionados! 🌟 Let’s talk about a game-changer in our beloved ACF PRO that’s causing both excitement and a bit of head-scratching in the community. Yes, you guessed it: ACF now automatically escapes unsafe HTML when rendered by the_field() or the ACF shortcode. Fear not! I’m here to demystify this update and arm you with the knowledge (and code) to tackle any challenges head-on.

Quick Recap: What’s ACF PRO Again? 🧐

For the uninitiated, Advanced Custom Fields (ACF) PRO is the powerhouse behind customizing WordPress sites, allowing you to add custom fields to your pages, posts, and even custom post types. It’s like giving your car a nitro boost but for your website.

The Update: Safety First! 🔐

ACF PRO’s latest update is like a superhero upgrade for your site’s security, automatically escaping unsafe HTML in fields. This means that it helps prevent nasty things like XSS attacks by ensuring that only clean, safe HTML is output through your custom fields.

  • The Update in a Nutshell: Automatically escapes unsafe HTML.
  • Affected Functions: the_field(), ACF shortcode.
  • Why It Matters: Enhances security, and minimizes XSS attack risks.

ACF will soon escape unsafe HTML that is rendered by the_field()

Breaking it Down: The Impact 🎯

So, what does this mean for you, the developer, designer, or site owner? Let’s dissect:

  • Pros: Enhanced security, peace of mind, reduced plugin reliance for sanitization.
  • Cons: Potential impact on fields that intentionally output HTML for functionality.

Looking to resolve the issue of unsafe HTML rendering with ACF PRO? Get expert assistance from Codeable’s WordPress developers today!

Find Developer

The Solution Space: Adapting to Change 🛠

Fear not! Adapting is our forte. Here’s how you can embrace this update without breaking a sweat:

1. Understanding the Change


// Before the update
echo get_field('custom_html_field');

// After the update
echo htmlspecialchars(get_field('custom_html_field'), ENT_QUOTES, 'UTF-8');


 

2. Safe HTML Output

If your field needs to output HTML safely, consider using wp_kses_post():

echo wp_kses_post(get_field('custom_html_field'));

 

3. Custom Sanitization

Need more control? Roll out your custom sanitization function:

function my_custom_sanitizer($content) {
   // Custom sanitization logic here
   return $content;
}

echo my_custom_sanitizer(get_field('custom_html_field'));

 

4. Whitelisting HTML Tags

Use wp_kses() to allow specific tags:

$allowed_tags = [
    'a' => [
        'href' => [],
        'title' => []
    ],
    'br' => [],
    'em' => [],
    'strong' => [],
];

echo wp_kses(get_field('custom_html_field'), $allowed_tags);

 

Navigating ACF PRO’s HTML Escape Functionality 🧭

Deep Dive: The the_field() Conundrum

Imagine you’ve got a custom field designed to embed YouTube videos directly into your posts. Previously, you’d add the iframe into your ACF field, and voila, it’d render seamlessly. Now, with automatic escaping in play, your iframe turns into a visible chunk of HTML code, rather than the intended video player.

The Problem:


<!-- What you entered in ACF -->
<iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

<!-- What renders on your site -->
&lt;iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen&gt;&lt;/iframe&gt;

The Solution:

Leverage WordPress’ wp_oembed_get() to safely embed videos, bypassing the need to directly input iframes into ACF fields:



// Fetch video URL from ACF field
$video_url = get_field('video_url');

// Use WordPress oEmbed functionality
echo wp_oembed_get($video_url);


 

 

This method ensures your embeds remain functional, sidestepping direct HTML input and keeping your site secure.

Scenario 2: Custom HTML in Text Fields

You’re using ACF to add custom HTML content to a page—perhaps a uniquely styled call-to-action (CTA) block. Post-update, your HTML is being escaped, stripping away the intended design and functionality.

Before the Update:


<div class="cta-block">
   <?php the_field('custom_html_cta'); ?>
</div>

 

Adapting:

Option 1: Use wp_kses_post() for Basic HTML

For basic HTML elements:


<div class="cta-block">
    <?php echo wp_kses_post(get_field('custom_html_cta')); ?>;
</div>

 

Option 2: Custom Allow-List with wp_kses()

When specific HTML elements and attributes are needed:


$allowed_html = array(
    'div' => array(
        'class' => array(),
    ),
    'a' => array(
        'href' => array(),
        'class' => array(),
        'title' => array(),
    ),
    'span' => array(
        'class' => array(),
    ),
    // Add more tags and attributes as needed
);

echo wp_kses(get_field('custom_html_cta'), $allowed_html);


Advanced Use Case: Dynamic Content with ACF and JavaScript

You’re injecting JavaScript via ACF fields for dynamic content customization. The update complicates direct script injection due to automatic escaping.

The Safe Path Forward:

Enqueue Scripts Properly

  1. Store your JavaScript code in external .js files.
  2. Enqueue these scripts using wp_enqueue_script() within your theme’s functions.php, or trigger them conditionally within your template files.

// Example: Enqueuing a custom script
function my_custom_scripts() {
    if (get_field('activate_custom_behavior', 'option')) { // Assuming 'option' page setting
        wp_enqueue_script('my-custom-script', get_template_directory_uri() . '/js/my-custom-script.js', array('jquery'), null, true);
    }
}
add_action('wp_enqueue_scripts', 'my_custom_scripts');


You can also use ACF fields to pass configuration or data to these scripts via localized script variables (wp_localize_script()).

// Localize script with data from ACF fields
function my_localized_script_data() {
    wp_localize_script('my-custom-script', 'MyScriptParams', array(
        'dynamicData' => get_field('dynamic_data', 'option'),
    ));
}
add_action('wp_enqueue_scripts', 'my_localized_script_data');

Given the constraints and the nature of your request, I’ll extend the content with more examples and delve deeper into practical scenarios. Let’s get into the nitty-gritty of working around ACF PRO’s HTML auto-escape functionality, ensuring your WordPress projects remain both dynamic and secure.

Navigating ACF PRO’s HTML Escape Functionality 🧭
Deep Dive: The the_field() Conundrum
Imagine you’ve got a custom field designed to embed YouTube videos directly into your posts. Previously, you’d add the iframe into your ACF field, and voila, it’d render seamlessly. Now, with automatic escaping in play, your iframe turns into a visible chunk of HTML code, rather than the intended video player.

The Problem:

<!-- What you entered in ACF -->
<iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

<!-- What renders on your site -->
&lt;iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen&gt;&lt;/iframe&gt;

The Solution:
Leverage WordPress’ wp_oembed_get() to safely embed videos, bypassing the need to directly input iframes into ACF fields:


// Fetch video URL from ACF field
$video_url = get_field('video_url');

// Use WordPress oEmbed functionality
echo wp_oembed_get($video_url);

This method ensures your embeds remain functional, sidestepping direct HTML input and keeping your site secure.

Scenario 2: Custom HTML in Text Fields
You’re using ACF to add custom HTML content to a page—perhaps a uniquely styled call-to-action (CTA) block. Post-update, your HTML is being escaped, stripping away the intended design and functionality.

Before the Update:


<div class="cta-block">
    <?php the_field('custom_html_cta'); ?>
</div>

Adapting:
Option 1: Use wp_kses_post() for Basic HTML

For basic HTML elements:

<div class="cta-block">
    <?php echo wp_kses_post(get_field('custom_html_cta')); ?>
</div>

Option 2: Custom Allow-List with wp_kses()

When specific HTML elements and attributes are needed:


$allowed_html = array(
    'div' => array(
        'class' => array(),
    ),
    'a' => array(
        'href' => array(),
        'class' => array(),
        'title' => array(),
    ),
    'span' => array(
        'class' => array(),
    ),
    // Add more tags and attributes as needed
);

echo wp_kses(get_field('custom_html_cta'), $allowed_html);

Advanced Use Case: Dynamic Content with ACF and JavaScript
You’re injecting JavaScript via ACF fields for dynamic content customization. The update complicates direct script injection due to automatic escaping.

The Safe Path Forward:
Enqueue Scripts Properly

Store your JavaScript code in external .js files.
Enqueue these scripts using wp_enqueue_script() within your theme’s functions.php, or trigger them conditionally within your template files.

// Example: Enqueuing a custom script
function my_custom_scripts() {
    if (get_field('activate_custom_behavior', 'option')) { // Assuming 'option' page setting
        wp_enqueue_script('my-custom-script', get_template_directory_uri() . '/js/my-custom-script.js', array('jquery'), null, true);
    }
}
add_action('wp_enqueue_scripts', 'my_custom_scripts');

Use ACF fields to pass configuration or data to these scripts via localized script variables (wp_localize_script()).


// Localize script with data from ACF fields
function my_localized_script_data() {
    wp_localize_script('my-custom-script', 'MyScriptParams', array(
        'dynamicData' => get_field('dynamic_data', 'option'),
    ));
}
add_action('wp_enqueue_scripts', 'my_localized_script_data');

This approach maintains security while offering dynamic, JavaScript-driven content customization.

Embracing Change: A Path Forward

The transition to automatic HTML escaping in ACF PRO represents a significant shift towards enhancing security and reliability in WordPress development. By adapting your workflows to embrace these changes—leveraging WordPress core functions for sanitization, and strategically managing HTML and JavaScript content—you ensure your projects remain both innovative and secure.

While the journey may require rethinking certain practices, the destination—a more secure, dynamic web—is undoubtedly worth it. Armed with these strategies and examples, you’re well-equipped to navigate the nuances of ACF PRO’s latest update, transforming potential obstacles into opportunities for growth and innovation.

FAQs 🚀

  • Q: Will this break my site?
    • A: Not necessarily. Test your fields, especially those outputting HTML.
  • Q: Can I disable this feature?
    • A: It’s not recommended due to security concerns, but customizing output methods can bypass automatic escaping.
  • Q: What if I need to output JavaScript?
    • A: Carefully. Consider enqueuing scripts rather than embedding them directly.

Looking to resolve the issue of unsafe HTML rendering with ACF PRO? Get expert assistance from Codeable’s WordPress developers today!

Find Developer

Wrapping Up: Secure, Customize, Thrive 🌟

This update is a significant step toward more secure, robust WordPress sites. With the tips and tricks shared, you’re well-equipped to adapt and continue creating dynamic, interactive, and safe web experiences.

Stay curious, stay secure, and most importantly, stay awesome! 💪

 

How to Fix ACF Will Soon Escape Unsafe HTML That is Rendered by the_field()

How to Fix ACF Will Soon Escape Unsafe HTML That is Rendered by the_field()

Advanced Custom Fields (ACF) PRO is a powerful plugin for WordPress developers, allowing them to easily create custom fields and meta boxes for their websites. However, like any tool, it’s essential to use ACF PRO correctly to avoid potential security risks. One such risk involves the rendering of unsafe HTML when using the_field() function, which can leave your site vulnerable to cross-site scripting (XSS) attacks and other security threats. In this article, we’ll delve into this issue and provide practical solutions to fix it.

Looking to resolve the issue of unsafe HTML rendering with ACF PRO? Get expert assistance from Codeable’s WordPress developers today!

Find Developer

Unsafe HTML rendering in ACF can pose a security risk, leaving your website vulnerable to attacks. However, with the advancements in their development process, ACF is soon to introduce a fix that will eliminate this concern. By incorporating this solution, you can enjoy a safer and more secure user experience on your website.

ACF will soon escape unsafe HTML that is rendered by the_field()

To help you understand how to implement this fix, we will provide you with clear and concise code examples. Whether you are a developer or simply interested in understanding the technical side of ACF, this article has got you covered. Join us as we explore the steps to fix the ACF issue and ensure the safety of your website’s HTML rendering.

Understanding the issue with ACF and unsafe HTML

ACF is a powerful WordPress plugin that allows you to create custom fields and easily add them to your website. However, a common problem with ACF arises when using the_field() function to display the data stored in these custom fields. The function does not escape the HTML output by default, which can lead to potential security vulnerabilities.

When HTML tags and special characters are not properly escaped, it allows malicious users to inject harmful code into your website, leading to cross-site scripting (XSS) attacks. These attacks can result in stolen data, defacement of your website, or even complete control by the attacker.

The impact of unsafe HTML on your website

The impact of unsafe HTML rendering can be severe, affecting both the functionality and security of your website. Let’s take a closer look at the potential consequences:

  1. Security vulnerabilities: As mentioned earlier, unsafe HTML can allow attackers to inject malicious code into your website. This can result in data breaches, unauthorized access, and other security-related issues.
  2. User experience: Unsafe HTML can disrupt the user experience on your website. If the injected code interferes with the layout or functionality, it can lead to a poor user experience, causing frustration and potentially driving visitors away.
  3. Search engine optimization: Search engines may penalize your website if it contains unsafe HTML. This can negatively impact your search engine rankings and overall visibility online.

Introducing the ACF Will Soon Escape Unsafe HTML error

ACF has acknowledged the issue with unsafe HTML rendering and is actively working on a solution. In their upcoming release, they will introduce a new feature called “ACF Will Soon Escape Unsafe HTML.” This feature aims to automatically escape HTML output by default when using the_field() function, providing a safer environment for your website.

The “ACF Will Soon Escape Unsafe HTML” error is a warning message that developers may encounter when using the_field() function without proper HTML escaping. It serves as a reminder to update your code and ensure that the HTML output is secure.

Why the_field() function triggers this error

The_field() function, by default, does not escape the HTML output. This means that any HTML tags or special characters within the custom field data will be rendered as-is, without any encoding or escaping. While this may be convenient for some scenarios, it can pose a significant security risk if the data is not trusted or sanitized.

To address this issue, ACF has decided to introduce the “ACF Will Soon Escape Unsafe HTML” error. This serves as a proactive measure to encourage developers to update their code and ensure the proper escaping of HTML output.

Code examples of the_field() function causing the error

Let’s take a look at some code examples to understand how the_field() function can trigger the “ACF Will Soon Escape Unsafe HTML” error:

Example 1:

<?php 
    $field_value = get_field('my_custom_field'); 
    echo the_field('my_custom_field'); 
?>

In this example, the_field() function is used to output the value of the custom field ‘my_custom_field’. However, if the field contains unsafe HTML or special characters, the function will not escape them by default, triggering the error.

Example 2:

<?php $field_value = get_field('my_custom_field'); echo 'div>' . the_field('my_custom_field') . '/div>'; ?>

In this example, the_field() function is used within an HTML element. If the custom field contains unsafe HTML, it will be rendered as-is within the div element, triggering the error.

How to fix the ACF Will Soon Escape Unsafe HTML error

Now that we understand the issue and how it can occur, let’s explore three methods to fix the “ACF Will Soon Escape Unsafe HTML” error and ensure the safety of your HTML rendering.

Method 1: Using the update_field() function

One way to fix the “ACF Will Soon Escape Unsafe HTML” error is by using the update_field() function instead of the_field(). The update_field() function allows you to retrieve and escape the HTML output from your custom field, ensuring that it is safe for rendering.

Here’s an example of how you can implement this method:

<?php 
    $field_value = get_field('my_custom_field'); 
    $escaped_field_value = esc_html($field_value); 
    echo $escaped_field_value;
 ?>

In this example, we first retrieve the value of the custom field using the get_field() function. Then, we use the esc_html() function to escape the HTML output, ensuring that any unsafe HTML or special characters are properly encoded. Finally, we echo the escaped field value, which can now be safely rendered on your website.

Method 2: Customizing the output with htmlspecialchars()

Another method to fix the “ACF Will Soon Escape Unsafe HTML” error is by customizing the output using the htmlspecialchars() function. This function allows you to encode special characters within your custom field data, preventing them from being interpreted as HTML.

Here’s an example of how you can implement this method:

<?php
    $field_value = get_field('my_custom_field');
    $encoded_field_value = htmlspecialchars($field_value);
    echo $encoded_field_value; 
?>

In this example, we retrieve the value of the custom field using the get_field() function. Then, we use the htmlspecialchars() function to encode any special characters within the field value. This ensures that the HTML output is safe and prevents any potential security vulnerabilities.

Method 3: Using the_field() with the ‘esc_html’ filter

The third method to fix the “ACF Will Soon Escape Unsafe HTML” error is by using the_field() function with the ‘esc_html’ filter. This filter allows you to automatically escape the HTML output without modifying the original field value.

Here’s an example of how you can implement this method:

<?php 
    $field_value = get_field('my_custom_field'); 
    echo apply_filters('the_field', $field_value, null, 'esc_html'); 
?>

In this example, we retrieve the value of the custom field using the get_field() function. Then, we use the apply_filters() function to apply the ‘esc_html’ filter to the_field() function. This ensures that the HTML output is properly escaped, providing a safer rendering of the custom field value.

Conclusion

Unsafe HTML rendering in ACF can pose a significant security risk to your website. However, with the upcoming release of “ACF Will Soon Escape Unsafe HTML,” you can ensure a safer and more secure user experience. By implementing the code examples provided in this article, you can fix the “ACF Will Soon Escape Unsafe HTML” error and protect your website from potential attacks.

Remember to always prioritize the security and integrity of your website’s HTML rendering. Stay updated with the latest ACF releases and best practices to ensure a secure and reliable user experience for your visitors.

Looking to resolve the issue of unsafe HTML rendering with ACF PRO? Get expert assistance from Codeable’s WordPress developers today!

Find Developer

Understanding the “ACF PRO — ACF Will Soon Escape Unsafe HTML” Warning

ACF will soon escape unsafe html that is rendered by the_field()

This warning means that Advanced Custom Fields (ACF), a popular WordPress plugin, will soon start escaping unsafe HTML input to prevent security issues.

Why is ACF adding this security feature?

ACF wants to prevent unwanted HTML and JavaScript from being executed when field values are rendered in the frontend. Without this security check, it’s possible for malicious users to input code that could compromise your site.

How will this affect my site?

Any field values that contain HTML will have special characters escaped to render as plain text instead. For example:

echo $value; 
// Before: &lt;wp-p&gt;Hello&lt;/wp-p&gt;;
// After: &amp;amp;lt;p&amp;amp;gt;Hello&amp;amp;lt;/p&amp;amp;gt;

This prevents the HTML from being executed.

What should I do about “ACF Will Soon Escape Unsafe HTML” Warning?

You have three options:

1. Sanitize your field values before rendering.

Use a function like wp_kses_post() to strip unwanted HTML tags and attributes, keeping only allowed ones.

For example:

$sanitized_value = wp_kses_post( $value );
echo $sanitized_value;

This will fix the warning and allow your desired HTML to be rendered safely.

2. Get help from WordPress Developers

Trust the expertise of Codeable’s seasoned WordPress developers to implement robust solutions and fortify your site against potential threats. With their in-depth knowledge and meticulous attention to detail, they’ll ensure that your ACF PRO implementation is not only secure but also optimized for performance and functionality. Reach out to Codeable today and safeguard your WordPress site with confidence.

3. Do nothing

If you don’t use HTML in your ACF field values, this update won’t affect you.

Looking to resolve the issue of unsafe HTML rendering with ACF PRO? Get expert assistance from Codeable’s WordPress developers today!

Find Developer

 

Why You’re Seeing This Warning in WordPress

If you’ve recently updated Advanced Custom Fields (ACF) and started seeing warnings about “ACF PRO Will Soon Escape Unsafe HTML,” don’t panic. This is actually a helpful notice from ACF to let you know that some of your field values may contain unsafe HTML that could put your site at risk.

What is “Unsafe HTML”?

Unsafe HTML refers to HTML tags, attributes or code that could potentially be exploited for malicious purposes like XSS (cross-site-scripting) attacks. Some examples of unsafe HTML that will trigger the ACF warning include:

<script>alert(“Hi!”)</script> <a href=”javascript:alert(‘XSS’);”>Click me</a>

To prevent these kinds of vulnerabilities, ACF PRO will be escaping unsafe values in upcoming versions. Escaping means converting unsafe HTML into plain text so it’s not executed as code.

How to Fix the Warning

To fix this warning and ensure your ACF fields don’t contain unsafe HTML, you have two options:

  1.  Manually clean up unsafe values Go through your ACF fields and sanitize any values containing unsafe HTML. Replace or remove HTML tags and attributes, leaving only plain text.
  1. Enable “Escape HTML” on your fields The easiest option is to enable the “Escape HTML” setting on any fields that may contain unsafe values. This will automatically sanitize the values, escaping unsafe HTML.

To enable “Escape HTML” on your fields:

  • Edit the field group
  • Click on the field you want to edit
  • Under “Field Options,” check the box next to “Escape HTML”
  • Save your changes

This will escape unsafe HTML in both existing and new values for that field going forward. Repeat this for any other fields as needed.

ACF will soon escape unsafe HTML that is rendered by the_field()

The Risks of Rendering Unsanitized HTML

Unsanitized HTML refers to user-inputted HTML that hasn’t been properly filtered for malicious code before being displayed on your website. Allowing unsanitized HTML to be rendered poses serious security risks.

Cross-Site Scripting (XSS) Attacks

The biggest danger of rendering unsanitized HTML is that it opens you up to XSS attacks. An attacker could input JavaScript, PHP, or other code into a form on your site. If that input is displayed without sanitizing, the code will execute on your site. This allows the attacker to do things like:

  • Steal cookies and session data
  • Redirect users to malicious sites
  • Change or delete site content
  • Launch denial-of-service attacks

To prevent XSS attacks, you must sanitize all user input before displaying it. For HTML input, use a library like HTML Purifier to filter out unsafe tags and attributes.

Injected Malware

Rendering unsanitized HTML also makes it possible for attackers to inject malicious scripts, iframes, and other HTML elements containing malware. Even if the input isn’t specifically targeting your site, rendering it could infect your users with malware like:

  • Ransomware that encrypts user files until a ransom is paid
  • Cryptocurrency mining scripts that hijack CPU power
  • Keylogging or form-grabbing code to steal user data

SEO and Accessibility Issues

Allowing unfiltered HTML input can also cause problems for search engines and accessibility tools. Unsemantic markup, duplicate content, and hidden text can confuse search engine crawlers. And elements like <blink>, <marquee>, and <font> can disrupt screen readers and other assistive technologies.

How to Fix “ACF PRO — ACF Will Soon Escape Unsafe HTML”

If you see this warning from ACF PRO, it means you have HTML in a field that could potentially contain malicious code. To fix this, you’ll need to sanitize the HTML to strip out anything unsafe.

Use esc_html()

The easiest way to sanitize HTML in ACF is to use the esc_html() function. This will strip out any HTML tags and encode special characters to make the string safe to display.

For example, if you have a text field with this HTML: <p><a href=”http://example.com”>Link</a></p>

You can display it safely like this:

echo esc_html( $field['value'] );


This will output: <p><a href=”http://example.com”>Link</a></p>

Allow Specific Tags

If you want to allow some HTML tags but not others, use wp_kses_post(). This lets you pass an array of allowed tags.

For example, to allow links and emphasis tags:

$allowed_tags = array(
    'a' =&amp;amp;amp;amp;gt; array(
        'href' =&amp;amp;amp;amp;gt; true
    ),
    'em' =&amp;amp;amp;amp;gt; true 
);

echo wp_kses_post( $field['value'], $allowed_tags );

This will strip out any tags not in the allowed_tags array, sanitizing the input.

Use ACF’s sanitize_callback

The best way to sanitize an ACF field is to use the sanitize_callback argument. You can pass a callback function that will be run whenever the field is saved.

For example:

'fields' =&amp;amp;amp;amp;gt; array(
    array(
        'key'           =&amp;amp;amp;amp;gt; 'html_field',
        'label'         =&amp;amp;amp;amp;gt; 'HTML Field',
        'name'          =&amp;amp;amp;amp;gt; 'html_field',
        'type'          =&amp;amp;amp;amp;gt; 'wysiwyg',
        'sanitize_callback' =&amp;amp;amp;amp;gt; 'my_acf_sanitize_html' 
    )
)

function my_acf_sanitize_html( $input ) {
    $allowed_html = array(
        'a' =&amp;amp;amp;amp;gt; array( 'href' =&amp;amp;amp;amp;gt; true ),
        'em' =&amp;amp;amp;amp;gt; true,
        'strong' =&amp;amp;amp;amp;gt; true
    );
    return wp_kses_post( $input, $allowed_html );
} 

This will run the my_acf_sanitize_html() function whenever the html_field is saved, sanitizing the input.

 

Using Esc_html() and Esc_attr() to Sanitize Output

To fix the “ACF PRO Will Soon Escape Unsafe HTML” warning, you’ll need to sanitize all output in your ACF fields. This means escaping HTML characters so they are not executed as code. ACF provides two helper functions for this:

esc_html()

Use esc_html() to sanitize output that will be displayed in the HTML body. This escapes characters like <, >, “, ‘, etc. For example:

echo esc_html( $your_string );

 

esc_attr()

Use esc_attr() to sanitize output used in HTML attributes like src, href, value, etc. For example:

echo '&lt;a href="' . esc_attr( $your_string ) . '"&gt;Link&lt;/a&gt;';
[php]

&lt;h2&gt;Examples of Escaping ACF Values Before Output&lt;/h2&gt;
To fix this warning, you'll need to properly escape ACF field values before outputting them. This means converting characters that could be misinterpreted as HTML into HTML entities.

For example, to output a field named &lt;code&gt;my_text&lt;/code&gt;, you'd use:
[php]
echo esc_html( get_field('my_text') );

The esc_html() function will escape things like <, >, “, ‘, and &. So if the field value was:

This is a <b>test</b> with "quotes" and 'apostrophes' & ampersands

The output would be:

This is a &lt;b&gt;test&lt;/b&gt; with &quot;quotes&quot; and &#39;apostrophes&#39; &amp; ampersands

This prevents the text from being interpreted as actual HTML.

You’ll want to escape ACF values anywhere they’re output, like:

  • In the_content()
  • the_excerpt()
  • the_title()
  • Widgets (text, HTML, etc.)
  • The Loop
  • Comments
  • etc.

So your code may look something like this:

the_content( esc_html( get_field('my_content') ) ); 
[php]

or

[php]
echo esc_html( get_field('my_text') ); 


in various places throughout your theme and plugins.

 

Other Methods for Sanitizing ACF HTML

One way to fix this warning is by sanitizing ACF fields that contain HTML. There are a few methods for sanitizing HTML in WordPress and with ACF.

esc_attr()

The esc_attr() function escapes HTML attribute values. Use this when outputting ACF field values in HTML attributes. For example:

echo '&amp;amp;amp;amp;lt;a href="' . esc_attr($field_value) . '"&amp;amp;amp;amp;gt;Link&amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;gt;';

This will escape the $field_value, making it safe to use in the href attribute.

esc_html()

The esc_html() function escapes HTML for output in the HTML body. Use this when outputting ACF field values that will be displayed as raw HTML. For example:

echo esc_html($field_value);

This will escape the $field_value, making it safe to echo as HTML.

wp_kses_post()

The wp_kses_post() function strips out any invalid HTML and sanitizes the remaining HTML to ensure it’s safe for output. This is a more comprehensive sanitization method compared to esc_html(). Use this when allowing users to enter custom HTML in an ACF field.For example:

echo wp_kses_post($field_value);

This will sanitize the $field_value and strip out any unsafe HTML before outputting.

ACF Stripsafe

The Stripsafe ACF add-on allows you to configure allowed HTML tags, attributes and protocols on a per-field basis. This gives you granular control over HTML sanitization for ACF fields.

Should I sanitize ACF values on save or output?

It is best practice to sanitize ACF field values on output rather than save. This allows you to sanitize values for different contexts, and allows HTML/scripts in fields that are safely output in certain contexts.

What sanitization method should I use?

It depends on your needs. Use esc_attr() for attributes, esc_html() for basic HTML, wp_kses_post() for more comprehensive sanitization, and ACF Stripsafe for granular control.

When You Should Not Escape ACF HTML Output

Sometimes you’ll want ACF to output HTML instead of escaping it. For example, if you’re using ACF to build a post content editor with a rich text editor field, you’ll want the field to output HTML to properly format the content.

To tell ACF not to escape a field’s output, you can add esc_html => false to the field’s arguments:

$args = array(
    'label' =&amp;amp;amp;gt; 'Content',
    'name' =&amp;amp;amp;gt; 'content',
    'type' =&amp;amp;amp;gt; 'wysiwyg',
    'toolbar' =&amp;amp;amp;gt; 'full',
    'esc_html' =&amp;amp;amp;gt; false
);

acf_add_local_field_group(array(
    'key' =&amp;amp;amp;gt; 'group_1234',
    'title' =&amp;amp;amp;gt; 'Content',
    'fields' =&amp;amp;amp;gt; array($args)
));

Now the content field will output raw HTML which WordPress will properly format on the frontend.

You’ll also want to do this for any field where you intend to have HTML in the value, such as:

  • Textarea fields
  • Code fields
  • Gallery fields
  • Etc.

Any field where you’re allowing editors to add custom HTML, you’ll need to set esc_html => false. Otherwise, ACF will escape the HTML to prevent XSS vulnerabilities.

Escaping Unsafe HTML Rendered by ACF The_field()

ACF PRO recently started warning you that “ACF will soon escape unsafe HTML that is rendered by the_field()”. What does this mean and how can you fix it?

When ACF renders a field using the_field(), it outputs the value without escaping it. This means if the value contains HTML, it will be executed. While this is useful in some cases, it can also pose a security risk. To fix this, ACF PRO will automatically escape values to prevent unwanted HTML execution.

To fix this warning and opt-in to escaping values, you have two options:

  1. Add esc_html() when echoing the_field()
echo esc_html( the_field('some_field') );
  1. Add ‘escape_output’ => true when registering the field
acf_add_local_field( array(
'key' =&amp;gt; 'some_field',
'name' =&amp;gt; 'Some Field',
'type' =&amp;gt; 'text',
'escape_output' =&amp;gt; true
) );

This will tell ACF to automatically escape the value for this field when using the_field().

FAQ

  • I have an HTML form where users can enter content. Should I sanitize that input?

    Yes, always sanitize any HTML input before displaying it. Use a library like HTML Purifier to remove unsafe tags and attributes.

  • What's the difference between sanitizing and escaping HTML?

    Sanitizing HTML filters out unsafe elements, attributes, and code. Escaping HTML converts special characters like < and > into HTML entities (< and >) which prevents the browser from executing any code. For security, you should sanitize first, then escape.
  • How can I prevent XSS attacks?

    To prevent XSS attacks, follow these best practices:

    • Sanitize all user input, especially HTML, JavaScript, CSS, and URL input.
    • Use a library like HTML Purifier, DOMPurify or bleach to sanitize HTML.
    • Escape all output, including data from databases, with htmlspecialchars() or esc_html().
    • Use httponly, secure, and samesite cookies to prevent cookie theft.
  • Do I need to sanitize on the front-end and back-end?

    Yes, it's best practice to sanitize data on both sides. Sanitize when saving data to the database (back-end) and also when outputting data to the front-end. Without sanitizing, malicious users could input JavaScript or other code into your ACF fields and have it execute on your site. This is a major security risk known as an XSS (cross-site-scripting) attack. You only need to sanitize string data that will be output to the page. Numbers, dates, file uploads, etc. do not need to be sanitized.

  • How do I fix fields that have already been created?

    Unfortunately, you'll need to manually edit any existing ACF fields and add the necessary esc_html() and esc_attr() calls. Any new fields you create will need to have sanitization added right away.

    To fix the "ACF PRO Will Soon Escape Unsafe HTML" warning and lock down the security of your site's data, be sure to sanitize all ACF output using esc_html() and esc_attr(). Your users and server will thank you!

  • What if I don't fix this warning?

    If left unfixed, upcoming versions of ACF PRO will automatically escape unsafe HTML in your field values to prevent security issues. Some formatting loss may occur, so it's best to manually clean up or enable escaping on the fields. ACF PRO is improving security by escaping unsafe HTML output. This warning gives you a chance to opt-in to the new escaping behavior. ACF PRO will require escaping or sanitizing field values in a future update. This warning gives you time to make the necessary updates to your templates to avoid issues when that change occurs.

  • What about when using ACF in widgets?

    Yes, you'll want to escape ACF values in widgets as well before outputting them. Simply call esc_html() on the field value same as anywhere else.

  • Will enabling "Escape HTML" affect my field values?

    Enabling this setting will convert any unsafe HTML in your field values to plain text. Some formatting may be lost, but it helps prevent vulnerabilities.

Codeable service can fix this for you!

Find Developer

Reach out to the Codeable experts for help. Their WordPress developers can fully audit your site and ACF PRO integration to fix any issues causing warnings.

There are a few key benefits to having Codeable audit your site:

• Comprehensive review – We will review all instances of ACF on your site, including fields, locations, and how ACF is integrated with your theme.

• Technical expertise – Our developers are ACF PRO experts and can identify issues that may be causing the unsafe HTML warning.

• Custom fixes – We will provide recommendations and implement any custom code fixes needed to resolve the warning and make your ACF integration safe and secure.

• Future-proofing – After fixing current issues, we can recommend best practices to implement going forward to avoid similar errors.

• Peace of mind – You’ll have confidence that your ACF PRO integration is running smoothly and not exposing your site to risk.

If you’d like a free consultation to discuss an ACF PRO audit for your site, feel free to reach out. We can review your issues, provide a free quote, and develop a customized plan to resolve any ACF or WordPress integration issues.

How to Automatically Change WooCommerce Product Order Status from Processing to Completed status

Running a successful WooCommerce store involves efficient order management. One way to streamline this process is by automatically switching the order status from “Processing” to “Completed.” In this comprehensive guide, we’ll explore two methods to achieve this: using a custom function and utilizing a plugin.

Method 1: Using a Custom Function

Step 1: Access Your Theme’s functions.php File

  1. Log in to Your WordPress Dashboard: Begin by accessing your WordPress admin dashboard.
  2. Navigate to “Appearance”: Click on “Appearance” in the left-hand menu.
  3. Select “Theme Editor”: Choose “Theme Editor” to access your theme’s files.
  4. Locate and Open “functions.php”: In the list of theme files on the right-hand side, find and select the “functions.php” file.

Step 2: Insert the Custom Function

Now, let’s insert the custom function that automates the order status change:

function auto_complete_orders() {
    // Retrieve all orders with "Processing" status
    $processing_orders = wc_get_orders( array(
        'status' => 'processing',
        'limit' => -1,
     ) );

     // Loop through each "Processing" order and change its status to "Completed"
     foreach ( $processing_orders as $order ) {
        $order->update_status( 'completed' );
     }
}
add_action( 'woocommerce_order_status_processing', 'auto_complete_orders' );
<pre>

 

This code defines a function called auto_complete_orders that triggers when an order’s status changes to “Processing.” It then automatically changes the order status to “Completed.”

Method 2: Using a Plugin

Step 1: Install and Activate a Plugin

For those who prefer a user-friendly approach without coding, plugins offer a convenient solution. Follow these steps:

  1. Login to Your WordPress Admin Dashboard: Access your WordPress admin dashboard.
  2. Visit the “Plugins” Section: Navigate to the “Plugins” section in the left-hand menu.
  3. Click “Add New”: Select “Add New” to search for and install a suitable plugin.
  4. Search and Install: In the search bar, type the name of a plugin like “WooCommerce Auto-Complete Orders.” Once found, click “Install” and then “Activate.”

Step 2: Configure Plugin Settings

After activating the plugin, you can configure its settings:

  • Specify Order Status: Typically, these plugins allow you to specify the order status that triggers the automatic change to “Completed.” Customize these settings according to your requirements.

Automatically Change WooCommerce Product Order Status from Processing to Completed status

By automating the transition from “Processing” to “Completed” order status in WooCommerce, you can simplify your order management processes, reduce manual workload, and enhance the overall customer experience. Whether you choose the custom function or plugin method, thorough testing on a staging site is essential to ensure seamless functionality and avoid conflicts with other plugins or themes on your live website.

WPForms Double Opt-In: Elevate Your Newsletter Game

Introduction to WPForms and Double Opt-In

Building a robust email list is crucial for any online business or blogger. Enter WPForms, a leading form-building tool for WordPress, known for its user-friendly interface and powerful features. Among these is the double opt-in mechanism for newsletter forms – a game-changer in email marketing. Double opt-in refers to the process where a user signs up for a newsletter and then confirms their subscription through an email link. This method ensures higher quality leads and compliance with global email regulations.

Benefits of Using Double Opt-In with WPForms

Implementing double opt-in via WPForms comes with a host of benefits. Firstly, it significantly enhances the quality of your email list by filtering out accidental or bot sign-ups. This leads to lower bounce rates and higher engagement as your audience consists of genuinely interested subscribers. Moreover, double opt-in aligns with various data protection and privacy laws, such as GDPR, ensuring that your email marketing practices are legally compliant.

WP Forms

 

Step-by-Step Guide to Implementing Double Opt-In in WPForms

Creating a double opt-in newsletter form in WPForms is straightforward. Here’s how:

  1. Creating a Newsletter Form: Start by building your newsletter form in WPForms. Use their drag-and-drop builder to customize fields according to your needs.
  2. Configuring Double Opt-In: In the form settings, enable the double opt-in feature. This ensures that every sign-up receives a confirmation email.
  3. Customizing Confirmation Emails: Personalize the confirmation emails. A compelling subject line and a clear call to action can improve the confirmation rates.
  4. Integrating with Email Marketing Services: Seamlessly integrate your form with popular email services like Mailchimp or AWeber to automate the subscription process.

Best Practices for Double Opt-In Forms

To maximize the efficiency of your double opt-in forms, consider the following best practices:

  • Design compelling CTAs and opt-in messages that resonate with your audience.
  • Ensure your form design is visually appealing and aligns with your site’s aesthetics for higher conversion rates.
  • Time your confirmation emails appropriately – not too soon, not too late.

Analyzing the Impact of Double Opt-In

Once your double opt-in form is live, closely monitor sign-up rates and engagement metrics. Use these insights to tweak and improve your strategy. Regular analysis helps in understanding subscriber behavior and preferences, enabling more targeted and effective email campaigns.

 

WPForms’ double opt-in feature for newsletter forms is an invaluable tool in the arsenal of email marketing. It not only enhances the quality of your email list but also ensures compliance with privacy laws. By following the best practices and continuously analyzing your results, you can significantly improve your newsletter sign-up rates and overall engagement.

Analyzing and Optimizing Your Newsletter Strategy

Beyond the setup, analyzing the performance of your double opt-in forms is crucial. WPForms comes equipped with robust analytics tools that allow you to track the success of your forms. You can see how many visitors are converting, what pages are performing best, and use this data to optimize your forms for even better performance. Experiment with different call-to-actions, form layouts, and content to see what resonates most with your audience.

Advanced Tips for Maximizing Subscriber Engagement

To take your newsletter forms to the next level, consider these advanced strategies:

  • Segment Your Audience: Use the data collected through WPForms to segment your audience based on their preferences or behaviors. Tailored content can significantly boost engagement.
  • A/B Testing: Regularly test different elements of your newsletter sign-up process to find what works best. WPForms allows for easy A/B testing of your forms.
  • Follow-Up Automation: Set up automated emails for users who have completed the double opt-in process. This keeps your audience engaged and sets the stage for a long-term relationship.

FAQs about WPForms and Double Opt-In


FAQs about WPForms and Double Opt-In

Q: Is double opt-in mandatory for newsletter forms? A: While not mandatory, double opt-in is highly recommended. It ensures a more engaged and genuine subscriber base and is crucial for compliance with certain email marketing regulations.

Q: Can I integrate WPForms with any email marketing service? A: WPForms offers integration with many popular email marketing services like Mailchimp, AWeber, and Constant Contact. This allows for a seamless transition of subscriber data from your forms to your email lists.

Q: How can I improve the open rates of my confirmation emails? A: Use a clear, engaging subject line and ensure that the email content is concise and to the point. Personalizing the email can also increase the likelihood of it being opened.

Q: Does WPForms support GDPR compliance? A: Yes, WPForms includes features that help you build GDPR-compliant forms, including options for explicit consent checkboxes.

Q: Can I track the performance of my double opt-in forms? A: Yes, WPForms allows you to track form submissions and conversions. Integrating with email marketing services also provides additional analytics regarding open rates and subscriber engagement.

Q: How do I ensure my confirmation emails don’t end up in spam? A: To avoid spam filters, make sure your email content is clear and free of spam-trigger words. Using a reputable email service provider and maintaining a clean email list also helps.

Q: Can WPForms handle high volumes of newsletter sign-ups? A: Absolutely. WPForms is designed to efficiently handle large volumes of data, making it suitable for both small and large-scale operations.

Q: Is it possible to customize the double opt-in process in WPForms? A: Yes, WPForms offers extensive customization options. You can personalize everything from the form fields and design to the confirmation email content.

Q: How can I add a GDPR compliance checkbox to my WPForms newsletter form? A: WPForms allows you to easily add a GDPR compliance checkbox to your forms, ensuring that you’re obtaining explicit consent from users.

Q: What should I do if my double opt-in rates are low? A: If you’re experiencing low opt-in rates, consider revising your form design, CTA, or confirmation email. Make sure your value proposition is clear and compelling.

Q: Can I track the source of my newsletter sign-ups in WPForms? A: Yes, WPForms provides tools to track the source of your sign-ups, helping you understand which marketing channels are most effective.

Q: How does WPForms ensure the security of the data collected through forms? A: WPForms places a high priority on data security. It uses various measures, including encryption and regular security audits, to protect user data.

Learndash customization with examples

Learndash customization

Are you looking to take your e-learning platform to the next level? Look no further than Learndash customization. Learndash is a powerful learning management system (LMS) for educational institutions and businesses alike, and customizing it can provide a truly unique and tailored learning experience. In this article, we will explore the benefits and possibilities of Learndash customization, backed by real-world examples.

Customising Learndash allows you to align the platform with your brand, enhance user engagement, and create personalized learning journeys. Whether it’s applying your company’s branding, designing interactive elements, or integrating additional functionalities, Learndash customization empowers you to achieve your desired outcomes.

Throughout this article, we will delve into various examples of Learndash customization, showcasing how different organizations have successfully modified the platform to suit their specific needs. From custom-designed course layouts to seamless integration with other tools and plugins, these real-life cases will inspire you to make the most of Learndash’s flexibility.

Stay tuned as we uncover the world of Learndash customization and explore how it can revolutionize your e-learning experience.

Why customize Learndash?

Customising Learndash offers a range of benefits that can greatly enhance the e-learning experience for both learners and administrators. Let’s take a closer look at why customisation is worth considering.

First and foremost, customising Learndash allows you to align the platform with your brand. By incorporating your company’s logo, color scheme, and overall visual identity, you create a cohesive learning environment that reflects your brand’s values and aesthetics. This branding consistency not only enhances the overall user experience but also helps build trust and credibility with your learners.

Furthermore, Learndash customisation enables you to enhance user engagement. By adding interactive elements, such as gamification features, multimedia content, and social learning tools, you can make the learning experience more dynamic and enjoyable. Engaged learners are more likely to retain information and complete courses, leading to improved learning outcomes.

Another key advantage of customising Learndash is the ability to create personalised learning journeys. By tailoring the platform to suit individual learners’ needs, you can provide a more immersive and relevant learning experience. This can be achieved through adaptive learning paths, personalised course recommendations, and targeted assessments. Personalisation not only increases learner satisfaction but also improves knowledge retention and application.

In summary, customising Learndash offers the opportunity to align the platform with your brand, enhance user engagement, and create personalised learning journeys. Now, let’s explore some real-world examples of Learndash customisation to see these benefits in action.

Examples of Learndash customizations

Customising Learndash is a versatile process that can be tailored to meet the specific needs of your organisation. Let’s take a look at some real-world examples of Learndash customisations to get inspired.

Customizing the Learndash user interface

One way to customise Learndash is by modifying the user interface to match your brand’s visual identity. For example, Company X, a leading e-learning provider, customised Learndash to incorporate their logo, color scheme, and typography throughout the platform. This created a seamless and consistent experience for learners, reinforcing their brand and increasing learner engagement.

In addition to branding, you can also customise the user interface to improve usability. Company Y, a corporate training company, customised Learndash by simplifying the navigation and restructuring the course layout. They created a more intuitive and user-friendly interface, making it easier for learners to navigate through the content and track their progress.

Customizing Learndash course layouts

Customizing course layouts is another effective way to enhance the Learndash experience. Customizing Learndash by creating visually appealing and interactive course layouts. They incorporated multimedia elements, such as videos and interactive quizzes, to make the learning experience more engaging and immersive. This customisation not only increased learner satisfaction but also improved course completion rates.

Furthermore, you can customise Learndash course layouts to meet specific instructional design requirements. Company A, a healthcare training provider, customised Learndash to include custom progress trackers and interactive simulations. This allowed learners to track their progress in real-time and practice critical skills in a safe virtual environment. The custom course layouts provided a more realistic and hands-on learning experience.

Enhancing Learndash quizzes and assessments

Customising Learndash quizzes and assessments can greatly improve learner engagement and knowledge retention. Company B, an online certification provider, customised Learndash by adding gamification elements to their quizzes. They incorporated points, badges, and leaderboards to create a competitive and motivating learning environment. This customisation not only increased learner participation but also improved quiz performance and knowledge retention.

Another way to enhance Learndash quizzes and assessments is by incorporating multimedia elements. Company C, a professional development platform, customised Learndash by adding video-based assessments. This allowed learners to demonstrate their skills and knowledge through practical scenarios, providing a more authentic and comprehensive assessment experience.

Integrating third-party plugins with Learndash

Learndash can be further customised by integrating third-party plugins and tools. For example, Company D, an e-learning platform for IT professionals, customised Learndash by integrating a virtual lab environment. This allowed learners to practice their skills in a virtual sandbox, providing a hands-on learning experience. The seamless integration between Learndash and the virtual lab enhanced the overall learning experience and increased learner satisfaction.

Additionally, you can integrate Learndash with communication and collaboration tools to facilitate social learning. Company E, a corporate training provider, customised Learndash by integrating a discussion forum and live chat feature. This enabled learners to interact with each other, ask questions, and share insights, fostering a collaborative learning environment.

Advanced Learndash customization techniques

In addition to the examples mentioned above, there are advanced Learndash customization techniques that can further enhance the platform’s functionality. These techniques require technical expertise and can be tailored to meet specific requirements.

One advanced customization technique is creating custom user roles and permissions. This allows you to define different user roles, such as instructors, administrators, and learners, with specific permissions and access levels. This level of customization is particularly useful for large-scale e-learning platforms with multiple stakeholders and complex workflows.

Another advanced customization technique is integrating external APIs to extend Learndash’s capabilities. This allows you to connect Learndash with other systems and tools, such as CRM software or payment gateways. For example, Company F, an online course marketplace, customised Learndash by integrating with a CRM system to automate course enrollment and user management processes.

Best practices for Learndash customization

While Learndash customisation offers endless possibilities, it’s important to follow some best practices to ensure a smooth and successful customisation process. Here are some tips to keep in mind:

  1. Plan ahead: Clearly define your customisation goals and requirements before starting the process. This will help you stay focused and avoid unnecessary modifications.
  2. Test thoroughly: Before implementing any customisations, thoroughly test them in a staging environment to ensure compatibility and functionality.
  3. Stay up to date: Regularly update your Learndash installation and any customisations to ensure compatibility with the latest version and security patches.
  4. Document changes: Keep a record of all customisations made, including code modifications and plugin integrations. This will make it easier to troubleshoot any issues and maintain consistency.
  5. Consider scalability: If you anticipate future growth or changes in your e-learning platform, consider customisations that are scalable and adaptable.

By following these best practices, you can ensure a successful and sustainable Learndash customisation process.

Conclusion

Customising Learndash can take your e-learning platform to new heights. Whether it’s aligning the platform with your brand, enhancing user engagement, or creating personalised learning journeys, Learndash customisation empowers you to create a unique and tailored learning experience. The real-world examples showcased in this article demonstrate the vast possibilities of Learndash customisation, from custom-designed course layouts to seamless integrations with other tools and plugins.

As you embark on your Learndash customisation journey, remember to plan ahead, test thoroughly, and stay up to date with updates and best practices. With careful customisation, Learndash can truly revolutionise your e-learning experience and drive better learning outcomes. So, go ahead and unleash the power of Learndash customisation to create a truly exceptional e-learning platform.