普通网友 2016-10-07 15:25
浏览 48
已采纳

esc_url在WordPress ACF oEmbed上

I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.

I usually escape urls and attributes within my theme like so:

<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">

When I try and escape the oEmbed, nothing shows up:

<?= esc_url( get_field('video') ); ?>

If I test XSS with the following script, the ACF field completely breaks with a JS error.

<script>alert('hello')</script>

Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?

  • 写回答

2条回答 默认 最新

  • douxi8119 2016-10-07 21:09
    关注

    From the official documentation:

    The oEmbed field will return a string containing the embed HTML.

    Even if the input is of type URL, when getting the value, ACF transforms it to a full HTML embed code. In conclusion, it is wrong to call esc_url on this HTML, you just have to use the_field('video') or echo get_field('video').

    As for ACF accepting invalid (non-URL) data in oEmbed type inputs, you can write a custom validator to raise an error, if needed by implementing a filter: acf/validate_value.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 关于#wireshark#的问题:并且能够给数据做标注,如这个流量是在看视频或者是在转账
  • ¥90 请问,这个视频播放软件的名称,用过的朋友请给答案,上方..avi是啥意思?是看短剧还是播放本地视频?
  • ¥15 运筹优化,gurobi,python
  • ¥15 基于python的电影系统推荐
  • ¥20 springmvc重定向和返回json
  • ¥15 数学建模——参会安排怎么做
  • ¥15 电脑键盘实现触摸功能
  • ¥25 matlab无法将表达式转换为双数组怎么解决?
  • ¥15 单片机汇编语言相关程序
  • ¥20 家用射频美容仪技术规格