New ACF versions html escaping in select2 breaks UI

  • squarecandy

    (@squarecandy)


    7 months ago

    Hi Matt –

    Just wanted to note that the newest ACF versions that have deployed more sanitizing of code by default are making this display not look ideal.

    It’s all technically still working… just not as beautiful as it used to be with the icons actually able to render inline within the dropdown.

    Actually the select dropdown results are still looking good – just not the single selected value:

    I recognize that this is an ACF and select2 issue and not actually anything to do directly with your plugin. (This same issues is actually affecting us in a few other spots as well where we have hooked into the result values of select fields.) I did reach out to the ACF support team already and they said the following:

    The issue is actually by design, that HTML is escaped for security reasons. This was put in during our last update.
    ?
    There will be an option to get this working in an future update to?ACF.
    We do not have an ETA for that.
    ?
    Hope this clears things up.

    Not sure if there’s anything to be done about it right away, but I did want to bring it to your attention on the off chance you were not aware already. Plus I also thought with 100k+ active users for this plugin, maybe the ACF team would put a little more urgency behind this fix if they heard from you about it as well.

    Thanks for the awesome plugin!

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Matt Keys

    (@mattkeys)

    Hey @squarecandy,

    Thanks for writing in about this and for the legwork you’ve already done trying to resolve the issue with ACF.

    I’ve just written in to ACF myself to ask about this issue to see if there is any way I can get it working like it used to.

    If there isn’t I suspect I’ll have to just remove the icon from that area which isn’t ideal but it beats a broken icon.

    Plugin Author Matt Keys

    (@mattkeys)

    ACF got back to me within minutes. They have some new filters that look like they will allow for some HTML in Select2. I need to read up more on how to properly use it. It puts the sanitation in my hands so I’ll have to figure out how to make it only allow the expected <i> tag HTML.

    Thread Starter squarecandy

    (@squarecandy)

    That’s great to hear the got back to you so quickly. Thanks for looking into it. Is there any documentation on the new filters?

    Plugin Author Matt Keys

    (@mattkeys)

    The new filter looks like it should come out in 6.2.8, which is currently only available as a release candidate.

    https://www.advancedcustomfields.com/blog/acf-6-2-8-rc1/#select2-html-escaping

    There are some notes in the new ‘select2_escape_markup’ filter in the URL above which further links to more documentation here:

    https://www.advancedcustomfields.com/resources/javascript-api/#filters-select2_escape_markup

    Plugin Author Matt Keys

    (@mattkeys)

    Interesting. Without making any further changes the problem goes away in this plugin when testing with ACF 6.2.8 RC1.

    This plugin already overrides the select2 escapeMarkup function using the select2_args filter. The markup is returned using an ACF helper function acf.escHtml.

    I’m not sure why that doesn’t fix things with ACF 6.2.7 as this isn’t using the new ‘select2_escape_markup’ filter that their support mentioned to me.

    I’ve written back to them asking if the acf.escHtml helper function is considered a valid way to sanitize the HTML.

    Thread Starter squarecandy

    (@squarecandy)

    Ok, yes I can confirm that 6.2.8 RC1 works fine without any code changes needed to ACF:FA for me as well. So maybe not worth trying to shoehorn a special fix and just wait for 6.2.8 to come out instead.

    Thanks for creating this thread @squarecandy. We just finished testing and I can confirm this issue is fixed in ACF PRO version 6.2.9.

    Thread Starter squarecandy

    (@squarecandy)

    Brilliant – thanks everyone!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘New ACF versions html escaping in select2 breaks UI’ is closed to new replies.