Escaping get_field values in template files – best practice?

  • Resolved hommealone

    (@hommealone)


    1 year, 9 months ago

    Are both of these acceptable? Are both safe? Is either one preferred?

    Escape at every instance of data output:

    $some_url = get_field('some_url');
echo '<p>Visit <a href="' . esc_url($some_url) . '">this website</a></p>';
echo '<p>Really!! Visit <a href="' . esc_url($some_url) . '">this website</a></p>';

    Escape only once at point of data retrieval:

    $some_url = esc_url(get_field('some_url'));
echo '<p>Visit <a href="' . $some_url . '">this website</a></p>';
echo '<p>Really!! Visit <a href="' . $some_url . '">this website</a></p>';

    If we are going to be using the piece of data in multiple places, the second can avoid a little duplication. Is it safe enough?

    If we make a habit of escaping the data when we first assign the variable, are we safe wherever we us it, as long as we are careful to never use the_field('some_url') unescaped?

Viewing 1 replies (of 1 total)
  • Plugin Support ACF Support

    (@acfsupport)

    Hi there!

    ACF Support Team here, Thanks for reaching out with your query we would be happy to assist.

    In WordPress, it is preferred to escape content at the late stage of rendering. So the method below is most preferred.

    $some_url = get_field('some_url');
echo '<p>Visit <a href="' . esc_url($some_url) . '">this website</a></p>';
echo '<p>Really!! Visit <a href="' . esc_url($some_url) . '">this website</a></p>';

    Hope this info helps and if you need further clarification, please create a ticket using our ?support form and we can look into it further.

Viewing 1 replies (of 1 total)
  • The topic ‘Escaping get_field values in template files – best practice?’ is closed to new replies.

Tags