Understanding the “ACF PRO — ACF Will Soon Escape Unsafe HTML” Warning

ACF will soon escape unsafe html that is rendered by the_field()

This warning means that Advanced Custom Fields (ACF), a popular WordPress plugin, will soon start escaping unsafe HTML input to prevent security issues.

Why is ACF adding this security feature?

ACF wants to prevent unwanted HTML and JavaScript from being executed when field values are rendered in the frontend. Without this security check, it’s possible for malicious users to input code that could compromise your site.

How will this affect my site?

Any field values that contain HTML will have special characters escaped to render as plain text instead. For example:

echo $value; 
// Before: <wp-p>Hello</wp-p>;
// After: <p>Hello</p>

This prevents the HTML from being executed.

What should I do about “ACF Will Soon Escape Unsafe HTML” Warning?

You have three options:

1. Sanitize your field values before rendering.

Use a function like wp_kses_post() to strip unwanted HTML tags and attributes, keeping only allowed ones.

For example:

$sanitized_value = wp_kses_post( $value );
echo $sanitized_value;

This will fix the warning and allow your desired HTML to be rendered safely.

2. Get help from WordPress Developers

Trust the expertise of Codeable’s seasoned WordPress developers to implement robust solutions and fortify your site against potential threats. With their in-depth knowledge and meticulous attention to detail, they’ll ensure that your ACF PRO implementation is not only secure but also optimized for performance and functionality. Reach out to Codeable today and safeguard your WordPress site with confidence.

3. Do nothing

If you don’t use HTML in your ACF field values, this update won’t affect you.

Why You’re Seeing This Warning in WordPress

If you’ve recently updated Advanced Custom Fields (ACF) and started seeing warnings about “ACF PRO Will Soon Escape Unsafe HTML,” don’t panic. This is actually a helpful notice from ACF to let you know that some of your field values may contain unsafe HTML that could put your site at risk.

What is “Unsafe HTML”?

Unsafe HTML refers to HTML tags, attributes or code that could potentially be exploited for malicious purposes like XSS (cross-site-scripting) attacks. Some examples of unsafe HTML that will trigger the ACF warning include:

<script>alert(“Hi!”)</script> <a href=”javascript:alert(‘XSS’);”>Click me</a>

To prevent these kinds of vulnerabilities, ACF PRO will be escaping unsafe values in upcoming versions. Escaping means converting unsafe HTML into plain text so it’s not executed as code.

How to Fix the Warning

To fix this warning and ensure your ACF fields don’t contain unsafe HTML, you have two options:

1.  Manually clean up unsafe values Go through your ACF fields and sanitize any values containing unsafe HTML. Replace or remove HTML tags and attributes, leaving only plain text.

2. Enable “Escape HTML” on your fields The easiest option is to enable the “Escape HTML” setting on any fields that may contain unsafe values. This will automatically sanitize the values, escaping unsafe HTML.

To enable “Escape HTML” on your fields:

• Edit the field group
• Click on the field you want to edit
• Under “Field Options,” check the box next to “Escape HTML”
• Save your changes

This will escape unsafe HTML in both existing and new values for that field going forward. Repeat this for any other fields as needed.

The Risks of Rendering Unsanitized HTML

Unsanitized HTML refers to user-inputted HTML that hasn’t been properly filtered for malicious code before being displayed on your website. Allowing unsanitized HTML to be rendered poses serious security risks.

Cross-Site Scripting (XSS) Attacks

The biggest danger of rendering unsanitized HTML is that it opens you up to XSS attacks. An attacker could input JavaScript, PHP, or other code into a form on your site. If that input is displayed without sanitizing, the code will execute on your site. This allows the attacker to do things like:

• Steal cookies and session data
• Redirect users to malicious sites
• Change or delete site content
• Launch denial-of-service attacks

To prevent XSS attacks, you must sanitize all user input before displaying it. For HTML input, use a library like HTML Purifier to filter out unsafe tags and attributes.

Injected Malware

Rendering unsanitized HTML also makes it possible for attackers to inject malicious scripts, iframes, and other HTML elements containing malware. Even if the input isn’t specifically targeting your site, rendering it could infect your users with malware like:

• Ransomware that encrypts user files until a ransom is paid
• Cryptocurrency mining scripts that hijack CPU power
• Keylogging or form-grabbing code to steal user data

SEO and Accessibility Issues

Allowing unfiltered HTML input can also cause problems for search engines and accessibility tools. Unsemantic markup, duplicate content, and hidden text can confuse search engine crawlers. And elements like <blink>, <marquee>, and <font> can disrupt screen readers and other assistive technologies.

How to Fix “ACF PRO — ACF Will Soon Escape Unsafe HTML”

If you see this warning from ACF PRO, it means you have HTML in a field that could potentially contain malicious code. To fix this, you’ll need to sanitize the HTML to strip out anything unsafe.

Use esc_html()

The easiest way to sanitize HTML in ACF is to use the esc_html() function. This will strip out any HTML tags and encode special characters to make the string safe to display.

For example, if you have a text field with this HTML: <p><a href=”http://example.com”>Link</a></p>

You can display it safely like this:

echo esc_html( $field['value'] );

This will output: <p><a href=”http://example.com”>Link</a></p>

Allow Specific Tags

If you want to allow some HTML tags but not others, use wp_kses_post(). This lets you pass an array of allowed tags.

For example, to allow links and emphasis tags:

$allowed_tags = array(
    'a' => array(
        'href' => true
    ),
    'em' => true 
);

echo wp_kses_post( $field['value'], $allowed_tags );

This will strip out any tags not in the allowed_tags array, sanitizing the input.

Use ACF’s sanitize_callback

The best way to sanitize an ACF field is to use the sanitize_callback argument. You can pass a callback function that will be run whenever the field is saved.

For example:

'fields' => array(
    array(
        'key'           => 'html_field',
        'label'         => 'HTML Field',
        'name'          => 'html_field',
        'type'          => 'wysiwyg',
        'sanitize_callback' => 'my_acf_sanitize_html' 
    )
)

function my_acf_sanitize_html( $input ) {
    $allowed_html = array(
        'a' => array( 'href' => true ),
        'em' => true,
        'strong' => true
    );
    return wp_kses_post( $input, $allowed_html );
} 

This will run the my_acf_sanitize_html() function whenever the html_field is saved, sanitizing the input.

Using Esc_html() and Esc_attr() to Sanitize Output

To fix the “ACF PRO Will Soon Escape Unsafe HTML” warning, you’ll need to sanitize all output in your ACF fields. This means escaping HTML characters so they are not executed as code. ACF provides two helper functions for this:

esc_html()

Use esc_html() to sanitize output that will be displayed in the HTML body. This escapes characters like <, >, “, ‘, etc. For example:

echo esc_html( $your_string );

esc_attr()

Use esc_attr() to sanitize output used in HTML attributes like src, href, value, etc. For example:

echo '<a href="' . esc_attr( $your_string ) . '">Link</a>';
[php]

<h2>Examples of Escaping ACF Values Before Output</h2>
To fix this warning, you'll need to properly escape ACF field values before outputting them. This means converting characters that could be misinterpreted as HTML into HTML entities.

For example, to output a field named <code>my_text</code>, you'd use:
[php]
echo esc_html( get_field('my_text') );

The esc_html() function will escape things like <, >, “, ‘, and &. So if the field value was:

This is a <b>test</b> with "quotes" and 'apostrophes' & ampersands

The output would be:

This is a <b>test</b> with "quotes" and 'apostrophes' & ampersands

This prevents the text from being interpreted as actual HTML.

You’ll want to escape ACF values anywhere they’re output, like:

• In the_content()
• the_excerpt()
• the_title()
• Widgets (text, HTML, etc.)
• The Loop
• Comments
• etc.

So your code may look something like this:

the_content( esc_html( get_field('my_content') ) ); 
[php]

or

[php]
echo esc_html( get_field('my_text') ); 

in various places throughout your theme and plugins.

Other Methods for Sanitizing ACF HTML

One way to fix this warning is by sanitizing ACF fields that contain HTML. There are a few methods for sanitizing HTML in WordPress and with ACF.

esc_attr()

The esc_attr() function escapes HTML attribute values. Use this when outputting ACF field values in HTML attributes. For example:

echo '<a href="' . esc_attr($field_value) . '">Link</a>';

This will escape the $field_value, making it safe to use in the href attribute.

esc_html()

The esc_html() function escapes HTML for output in the HTML body. Use this when outputting ACF field values that will be displayed as raw HTML. For example:

echo esc_html($field_value);

This will escape the $field_value, making it safe to echo as HTML.

wp_kses_post()

The wp_kses_post() function strips out any invalid HTML and sanitizes the remaining HTML to ensure it’s safe for output. This is a more comprehensive sanitization method compared to esc_html(). Use this when allowing users to enter custom HTML in an ACF field.For example:

echo wp_kses_post($field_value);

This will sanitize the $field_value and strip out any unsafe HTML before outputting.

ACF Stripsafe

The Stripsafe ACF add-on allows you to configure allowed HTML tags, attributes and protocols on a per-field basis. This gives you granular control over HTML sanitization for ACF fields.

Should I sanitize ACF values on save or output?

It is best practice to sanitize ACF field values on output rather than save. This allows you to sanitize values for different contexts, and allows HTML/scripts in fields that are safely output in certain contexts.

What sanitization method should I use?

It depends on your needs. Use esc_attr() for attributes, esc_html() for basic HTML, wp_kses_post() for more comprehensive sanitization, and ACF Stripsafe for granular control.

When You Should Not Escape ACF HTML Output

Sometimes you’ll want ACF to output HTML instead of escaping it. For example, if you’re using ACF to build a post content editor with a rich text editor field, you’ll want the field to output HTML to properly format the content.

To tell ACF not to escape a field’s output, you can add esc_html => false to the field’s arguments:

$args = array(
    'label' => 'Content',
    'name' => 'content',
    'type' => 'wysiwyg',
    'toolbar' => 'full',
    'esc_html' => false
);

acf_add_local_field_group(array(
    'key' => 'group_1234',
    'title' => 'Content',
    'fields' => array($args)
));

Now the content field will output raw HTML which WordPress will properly format on the frontend.

You’ll also want to do this for any field where you intend to have HTML in the value, such as:

• Textarea fields
• Code fields
• Gallery fields
• Etc.

Any field where you’re allowing editors to add custom HTML, you’ll need to set esc_html => false. Otherwise, ACF will escape the HTML to prevent XSS vulnerabilities.

Escaping Unsafe HTML Rendered by ACF The_field()

ACF PRO recently started warning you that “ACF will soon escape unsafe HTML that is rendered by the_field()”. What does this mean and how can you fix it?

When ACF renders a field using the_field(), it outputs the value without escaping it. This means if the value contains HTML, it will be executed. While this is useful in some cases, it can also pose a security risk. To fix this, ACF PRO will automatically escape values to prevent unwanted HTML execution.

To fix this warning and opt-in to escaping values, you have two options:

1. Add esc_html() when echoing the_field()

echo esc_html( the_field('some_field') );

2. Add ‘escape_output’ => true when registering the field

acf_add_local_field( array(
'key' => 'some_field',
'name' => 'Some Field',
'type' => 'text',
'escape_output' => true
) );

This will tell ACF to automatically escape the value for this field when using the_field().

FAQ

Reach out to the Codeable experts for help. Their WordPress developers can fully audit your site and ACF PRO integration to fix any issues causing warnings.

There are a few key benefits to having Codeable audit your site:

• Comprehensive review – We will review all instances of ACF on your site, including fields, locations, and how ACF is integrated with your theme.

• Technical expertise – Our developers are ACF PRO experts and can identify issues that may be causing the unsafe HTML warning.

• Custom fixes – We will provide recommendations and implement any custom code fixes needed to resolve the warning and make your ACF integration safe and secure.

• Future-proofing – After fixing current issues, we can recommend best practices to implement going forward to avoid similar errors.

• Peace of mind – You’ll have confidence that your ACF PRO integration is running smoothly and not exposing your site to risk.

If you’d like a free consultation to discuss an ACF PRO audit for your site, feel free to reach out. We can review your issues, provide a free quote, and develop a customized plan to resolve any ACF or WordPress integration issues.