普通网友 2016-10-07 15:25
浏览 48
已采纳

esc_url在WordPress ACF oEmbed上

I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.

I usually escape urls and attributes within my theme like so:

<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">

When I try and escape the oEmbed, nothing shows up:

<?= esc_url( get_field('video') ); ?>

If I test XSS with the following script, the ACF field completely breaks with a JS error.

<script>alert('hello')</script>

Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?

  • 写回答

2条回答 默认 最新

  • douxi8119 2016-10-07 21:09
    关注

    From the official documentation:

    The oEmbed field will return a string containing the embed HTML.

    Even if the input is of type URL, when getting the value, ACF transforms it to a full HTML embed code. In conclusion, it is wrong to call esc_url on this HTML, you just have to use the_field('video') or echo get_field('video').

    As for ACF accepting invalid (non-URL) data in oEmbed type inputs, you can write a custom validator to raise an error, if needed by implementing a filter: acf/validate_value.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 保护模式-系统加载-段寄存器