Escaping from ACF (advanced custom fields)

Acf is one of the best tools out there to quikly create some custom meta fileds on your posts and pages.

There are two main ways to get the values from a cusom field that was made with ACF

The WP way

get_post_meta($post->ID, 'MyCustomFieldName', true);

Using ACF functions, this used to be a bad practice way but since then since using those functions was used to make a bunch of unnececery queries, but in the latest versions this was fixed and today it’s a safe and easy way to call some data from a custom field.

Escape, its a trap

Both those ways require some escaping.
what is escaping you may ask, escaping it’s our way to clean the data inside the custom field that it will not be able to take any vulnerabilities, ultimately it’s just cleaning the data from all bunch of stuff that doesn’t need to be there.

Here are my main take on most fields that need escping and how to do it.

For titles and small text fields, both will do the trick.

esc_html($my_vlaue);
esc_textarea($my_vlaue);

For attributes

esc_attr($my_vlaue);

URL‘s and Links

esc_url($my_url);

For custom post meta that is longer then a small textarea and require some formatting by HTML we can use

apply_filters( 'the_content', wp_kses_post( $my_vlaue ) );

This is bring back WP formating for the custom post meta, escape it and then sanitize it, we are all set.

Leave a Reply

Your email address will not be published. Required fields are marked *