普通网友
2016-10-07 15:25
浏览 48
已采纳

esc_url在WordPress ACF oEmbed上

I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.

I usually escape urls and attributes within my theme like so:

<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">

When I try and escape the oEmbed, nothing shows up:

<?= esc_url( get_field('video') ); ?>

If I test XSS with the following script, the ACF field completely breaks with a JS error.

<script>alert('hello')</script>

Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 邀请回答

2条回答 默认 最新

相关推荐 更多相似问题