Since we discovered the Advanced Custom Field (ACF) plugin for WordPress, we’ve been using it in almost all of our WordPress projects. It makes WordPress’s backend so much easier for the end-user to change data. For instance, a client has a ‘meet the team’ page which lists their 20 or so employees. Originally, the team members were inputted manually by just typing markup in the page’s content area. Any time there was a change, they usually would have to contact us to make the change.
With ACF we added a repeater field that contained an image field, name field, social media links fields, and a description field. It is now very easy for the user to input the members and, also, using drag and drop they can rearrange the members in the order they prefer.
Security is always a big topic. Any time you have inputs on a website there is always a danger of someone using them to hack into your system. Best practice dictates that any input and output should be sanitized to help prevent code injection or other dangers.
ACF is usually used to add custom fields that are inputted on the backend so there is a lot less access to these inputs, but we should still sanitize the inputs. By default ACF does not do this. The ACF developers address this on the following page: http://www.advancedcustomfields.com/resources/acf_form/#security. Using the code on that page, we add the following to our theme’s functions.php file.
/* adding more security to ACF fields by sanitizing input */
/* from: http://www.advancedcustomfields.com/resources/acf_form/#security */
add_filter('acf/update_value', 'eth_kses_post', 10, 1);
function eth_kses_post( $value ) {
// is array
if( is_array($value) ) {
return array_map('eth_kses_post', $value);
}
// return
return wp_kses_post( $value );
}
To test that you’ve correctly implemented this. In a text or text area ACF custom field, add a simple script to see if upon saving, it is stripped out. We did the following to confirm:
text: Hey, there!<script>console.log("hey, there!")</script>
After saving, the field showed the stripped version:
text: Hey, there!console.log("hey, there!")
Stripping out the <script> tags prevents it from running.
It uses wp_kses_post() function to strip blacklisted HTML from the text.
