普通网友 2016-10-07 15:25
浏览 48
已采纳

esc_url在WordPress ACF oEmbed上

I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.

I usually escape urls and attributes within my theme like so:

<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">

When I try and escape the oEmbed, nothing shows up:

<?= esc_url( get_field('video') ); ?>

If I test XSS with the following script, the ACF field completely breaks with a JS error.

<script>alert('hello')</script>

Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?

  • 写回答

2条回答 默认 最新

  • douxi8119 2016-10-07 21:09
    关注

    From the official documentation:

    The oEmbed field will return a string containing the embed HTML.

    Even if the input is of type URL, when getting the value, ACF transforms it to a full HTML embed code. In conclusion, it is wrong to call esc_url on this HTML, you just have to use the_field('video') or echo get_field('video').

    As for ACF accepting invalid (non-URL) data in oEmbed type inputs, you can write a custom validator to raise an error, if needed by implementing a filter: acf/validate_value.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?