Secure ACF display: a simple trick

  • English

  • With ACF version 6.2.7, it is important to use get_field() instead of the_field() to display the contents of a field.

    Indeed, the_field() will automatically apply an HTML escape which can break the display of certain content (iframes, embed videos, etc.).

    The solution is simple:

    1. Use get_field(‘my_field’) to retrieve the field value
    2. Apply content-appropriate HTML escaping yourself. For article type content, you can use wp_kses_post():


    // Retrieve the value
    $value = get_field('my_field');

    // HTML Escaping
    echo wp_kses_post($value);

    wp_kses_post() will remove dangerous tags like <script> while retaining most standard HTML tags.

    This way, you display the content securely, without breaking the layout.

    Houssen Moshinaly

    To contact the editor personally:

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Copy code