I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.
I usually escape urls and attributes within my theme like so:
<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">
When I try and escape the oEmbed, nothing shows up:
<?= esc_url( get_field('video') ); ?>
If I test XSS with the following script, the ACF field completely breaks with a JS error.
<script>alert('hello')</script>
Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?