Updates to 6.2.5

acf.php

@@ -9,7 +9,7 @@
  * Plugin Name:       Advanced Custom Fields PRO
  * Plugin URI:        https://www.advancedcustomfields.com
  * Description:       Customize WordPress with powerful, professional and intuitive fields.
- * Version:           6.2.4
+ * Version:           6.2.5
  * Author:            WP Engine
  * Author URI:        https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields
  * Update URI:        https://www.advancedcustomfields.com/pro
@@ -36,7 +36,7 @@ if ( ! class_exists( 'ACF' ) ) {
 		 *
 		 * @var string
 		 */
-		public $version = '6.2.4';
+		public $version = '6.2.5';
 
 		/**
 		 * The plugin settings array.

assets/build/js/acf-escaped-html-notice.js

@@ -0,0 +1,39 @@
+/******/ (() => { // webpackBootstrap
+var __webpack_exports__ = {};
+/*!*********************************************************************************!*\
+  !*** ./src/advanced-custom-fields-pro/assets/src/js/acf-escaped-html-notice.js ***!
+  \*********************************************************************************/
+(function ($, undefined) {
+  const $notice = $('.acf-escaped-html-notice');
+  $notice.on('click', '.notice-dismiss', function (e) {
+    const $target = $(e.target).closest('.acf-escaped-html-notice');
+    let to_dismiss = 'escaped_html';
+    if ($target.hasClass('acf-will-escape')) {
+      to_dismiss = 'to_be_escaped';
+    }
+    $.ajax({
+      url: ajaxurl,
+      data: {
+        'action': 'acf/dismiss_escaped_html_notice',
+        'nonce': acf_escaped_html_notice.nonce,
+        'notice': to_dismiss
+      },
+      type: 'post'
+    });
+  });
+  $notice.on('click', '.acf-show-more-details', function (e) {
+    e.preventDefault();
+    const $link = $(e.target);
+    const $details = $link.closest('.acf-escaped-html-notice').find('.acf-error-details');
+    if ($details.is(':hidden')) {
+      $details.slideDown(100);
+      $link.text(acf_escaped_html_notice.hide_details);
+    } else {
+      $details.slideUp(100);
+      $link.text(acf_escaped_html_notice.show_details);
+    }
+  });
+})(jQuery);
+/******/ })()
+;
+//# sourceMappingURL=acf-escaped-html-notice.js.map

assets/build/js/acf-escaped-html-notice.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acf-escaped-html-notice.js","mappings":";;;;;AAAA,CAAE,UAAWA,CAAC,EAAEC,SAAS,EAAG;EAE3B,MAAMC,OAAO,GAAGF,CAAC,CAAE,0BAA2B,CAAC;EAE/CE,OAAO,CAACC,EAAE,CAAE,OAAO,EAAE,iBAAiB,EAAE,UAAUC,CAAC,EAAG;IACrD,MAAMC,OAAO,GAAGL,CAAC,CAAEI,CAAC,CAACE,MAAO,CAAC,CAACC,OAAO,CAAE,0BAA2B,CAAC;IAEnE,IAAIC,UAAU,GAAG,cAAc;IAC/B,IAAKH,OAAO,CAACI,QAAQ,CAAE,iBAAkB,CAAC,EAAG;MAC5CD,UAAU,GAAG,eAAe;IAC7B;IAEAR,CAAC,CAACU,IAAI,CAAE;MACPC,GAAG,EAAEC,OAAO;MACZC,IAAI,EAAE;QACL,QAAQ,EAAE,iCAAiC;QAC3C,OAAO,EAAEC,uBAAuB,CAACC,KAAK;QACtC,QAAQ,EAAEP;MACX,CAAC;MACDQ,IAAI,EAAE;IACP,CAAE,CAAC;EACJ,CAAE,CAAC;EAEHd,OAAO,CAACC,EAAE,CAAE,OAAO,EAAE,wBAAwB,EAAE,UAAUC,CAAC,EAAG;IAC5DA,CAAC,CAACa,cAAc,CAAC,CAAC;IAElB,MAAMC,KAAK,GAAGlB,CAAC,CAAEI,CAAC,CAACE,MAAO,CAAC;IAC3B,MAAMa,QAAQ,GAAGD,KAAK,CAACX,OAAO,CAAE,0BAA2B,CAAC,CAACa,IAAI,CAAE,oBAAqB,CAAC;IAEzF,IAAKD,QAAQ,CAACE,EAAE,CAAE,SAAU,CAAC,EAAG;MAC/BF,QAAQ,CAACG,SAAS,CAAE,GAAI,CAAC;MACzBJ,KAAK,CAACK,IAAI,CAAET,uBAAuB,CAACU,YAAa,CAAC;IACnD,CAAC,MAAM;MACNL,QAAQ,CAACM,OAAO,CAAE,GAAI,CAAC;MACvBP,KAAK,CAACK,IAAI,CAAET,uBAAuB,CAACY,YAAa,CAAC;IACnD;EACD,CAAE,CAAC;AAEJ,CAAC,EAAIC,MAAO,CAAC,C","sources":["webpack://advanced-custom-fields-pro/./src/advanced-custom-fields-pro/assets/src/js/acf-escaped-html-notice.js"],"sourcesContent":["( function ( $, undefined ) {\n\n\tconst $notice = $( '.acf-escaped-html-notice' );\n\n\t$notice.on( 'click', '.notice-dismiss', function( e ) {\n\t\tconst $target = $( e.target ).closest( '.acf-escaped-html-notice' );\n\n\t\tlet to_dismiss = 'escaped_html';\n\t\tif ( $target.hasClass( 'acf-will-escape' ) ) {\n\t\t\tto_dismiss = 'to_be_escaped';\n\t\t}\n\n\t\t$.ajax( {\n\t\t\turl: ajaxurl,\n\t\t\tdata: {\n\t\t\t\t'action': 'acf/dismiss_escaped_html_notice',\n\t\t\t\t'nonce': acf_escaped_html_notice.nonce,\n\t\t\t\t'notice': to_dismiss,\n\t\t\t},\n\t\t\ttype: 'post'\n\t\t} );\n\t} );\n\n\t$notice.on( 'click', '.acf-show-more-details', function( e ) {\n\t\te.preventDefault();\n\n\t\tconst $link = $( e.target );\n\t\tconst $details = $link.closest( '.acf-escaped-html-notice' ).find( '.acf-error-details' );\n\n\t\tif ( $details.is( ':hidden' ) ) {\n\t\t\t$details.slideDown( 100 );\n\t\t\t$link.text( acf_escaped_html_notice.hide_details );\n\t\t} else {\n\t\t\t$details.slideUp( 100 );\n\t\t\t$link.text( acf_escaped_html_notice.show_details );\n\t\t}\n\t} );\n\n} )( jQuery );\n"],"names":["$","undefined","$notice","on","e","$target","target","closest","to_dismiss","hasClass","ajax","url","ajaxurl","data","acf_escaped_html_notice","nonce","type","preventDefault","$link","$details","find","is","slideDown","text","hide_details","slideUp","show_details","jQuery"],"sourceRoot":""}

assets/build/js/acf-escaped-html-notice.min.js

@@ -0,0 +1 @@
+!function(e,t){const c=e(".acf-escaped-html-notice");c.on("click",".notice-dismiss",(function(t){let c="escaped_html";e(t.target).closest(".acf-escaped-html-notice").hasClass("acf-will-escape")&&(c="to_be_escaped"),e.ajax({url:ajaxurl,data:{action:"acf/dismiss_escaped_html_notice",nonce:acf_escaped_html_notice.nonce,notice:c},type:"post"})})),c.on("click",".acf-show-more-details",(function(t){t.preventDefault();const c=e(t.target),a=c.closest(".acf-escaped-html-notice").find(".acf-error-details");a.is(":hidden")?(a.slideDown(100),c.text(acf_escaped_html_notice.hide_details)):(a.slideUp(100),c.text(acf_escaped_html_notice.show_details))}))}(jQuery);

assets/build/js/acf-field-group.js

@@ -928,7 +928,6 @@ function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t =
       // The menu order
       //menu_order: 0
     },
-
     setup: function ($field) {
       // set $el
       this.$el = $field;
@@ -3035,19 +3034,19 @@ function _defineProperty(obj, key, value) {
 "use strict";
 __webpack_require__.r(__webpack_exports__);
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ _toPrimitive)
+/* harmony export */   "default": () => (/* binding */ toPrimitive)
 /* harmony export */ });
 /* harmony import */ var _typeof_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ./typeof.js */ "./node_modules/@babel/runtime/helpers/esm/typeof.js");
 
-function _toPrimitive(input, hint) {
-  if ((0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(input) !== "object" || input === null) return input;
-  var prim = input[Symbol.toPrimitive];
-  if (prim !== undefined) {
-    var res = prim.call(input, hint || "default");
-    if ((0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(res) !== "object") return res;
+function toPrimitive(t, r) {
+  if ("object" != (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(t) || !t) return t;
+  var e = t[Symbol.toPrimitive];
+  if (void 0 !== e) {
+    var i = e.call(t, r || "default");
+    if ("object" != (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(i)) return i;
     throw new TypeError("@@toPrimitive must return a primitive value.");
   }
-  return (hint === "string" ? String : Number)(input);
+  return ("string" === r ? String : Number)(t);
 }
 
 /***/ }),
@@ -3061,15 +3060,15 @@ function _toPrimitive(input, hint) {
 "use strict";
 __webpack_require__.r(__webpack_exports__);
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ _toPropertyKey)
+/* harmony export */   "default": () => (/* binding */ toPropertyKey)
 /* harmony export */ });
 /* harmony import */ var _typeof_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ./typeof.js */ "./node_modules/@babel/runtime/helpers/esm/typeof.js");
 /* harmony import */ var _toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ./toPrimitive.js */ "./node_modules/@babel/runtime/helpers/esm/toPrimitive.js");
 
 
-function _toPropertyKey(arg) {
-  var key = (0,_toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__["default"])(arg, "string");
-  return (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(key) === "symbol" ? key : String(key);
+function toPropertyKey(t) {
+  var i = (0,_toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__["default"])(t, "string");
+  return "symbol" == (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(i) ? i : String(i);
 }
 
 /***/ }),

assets/build/js/acf-input.js

@@ -1171,7 +1171,6 @@
       // the field which we query against
       rule: {} // the rule [field, operator, value]
     },
-
     events: {
       change: 'change',
       keyup: 'change',
@@ -1538,7 +1537,6 @@
       // Reference used during "change" event.
       groups: [] // The groups of condition instances.
     },
-
     setup: function (field) {
       // data
       this.data.field = field;

assets/build/js/pro/acf-pro-blocks.js

@@ -5066,19 +5066,19 @@ function _defineProperty(obj, key, value) {
 "use strict";
 __webpack_require__.r(__webpack_exports__);
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ _toPrimitive)
+/* harmony export */   "default": () => (/* binding */ toPrimitive)
 /* harmony export */ });
 /* harmony import */ var _typeof_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ./typeof.js */ "./node_modules/@babel/runtime/helpers/esm/typeof.js");
 
-function _toPrimitive(input, hint) {
-  if ((0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(input) !== "object" || input === null) return input;
-  var prim = input[Symbol.toPrimitive];
-  if (prim !== undefined) {
-    var res = prim.call(input, hint || "default");
-    if ((0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(res) !== "object") return res;
+function toPrimitive(t, r) {
+  if ("object" != (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(t) || !t) return t;
+  var e = t[Symbol.toPrimitive];
+  if (void 0 !== e) {
+    var i = e.call(t, r || "default");
+    if ("object" != (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(i)) return i;
     throw new TypeError("@@toPrimitive must return a primitive value.");
   }
-  return (hint === "string" ? String : Number)(input);
+  return ("string" === r ? String : Number)(t);
 }
 
 /***/ }),
@@ -5092,15 +5092,15 @@ function _toPrimitive(input, hint) {
 "use strict";
 __webpack_require__.r(__webpack_exports__);
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ _toPropertyKey)
+/* harmony export */   "default": () => (/* binding */ toPropertyKey)
 /* harmony export */ });
 /* harmony import */ var _typeof_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ./typeof.js */ "./node_modules/@babel/runtime/helpers/esm/typeof.js");
 /* harmony import */ var _toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ./toPrimitive.js */ "./node_modules/@babel/runtime/helpers/esm/toPrimitive.js");
 
 
-function _toPropertyKey(arg) {
-  var key = (0,_toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__["default"])(arg, "string");
-  return (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(key) === "symbol" ? key : String(key);
+function toPropertyKey(t) {
+  var i = (0,_toPrimitive_js__WEBPACK_IMPORTED_MODULE_1__["default"])(t, "string");
+  return "symbol" == (0,_typeof_js__WEBPACK_IMPORTED_MODULE_0__["default"])(i) ? i : String(i);
 }
 
 /***/ }),

assets/build/js/pro/acf-pro-input.js

@@ -1366,7 +1366,6 @@
       //	$control.removeClass('-min');
       //}
     },
-
     listenForSavedMetaBoxes: function () {
       if (!acf.isGutenbergPostEditor() || !this.get('pagination')) {
         return;
@@ -1701,7 +1700,6 @@
         }
       });
     },
-
     isCollapsed: function ($row) {
       return $row.hasClass('-collapsed');
     },

includes/acf-value-functions.php

@@ -12,7 +12,7 @@ acf_register_store( 'values' )->prop( 'multisite', true );
  * @since   5.6.5
  *
  * @param   string $field_name The name of the field. eg 'sub_heading'.
- * @param   mixed  $post_id The post_id of which the value is saved against.
+ * @param   mixed  $post_id    The post_id of which the value is saved against.
  * @return  string The field key.
  */
 function acf_get_reference( $field_name, $post_id ) {
@@ -45,8 +45,8 @@ function acf_get_reference( $field_name, $post_id ) {
  * @date    28/09/13
  * @since   5.0.0
  *
- * @param   int|string $post_id The post id.
- * @param   array      $field The field array.
+ * @param   integer|string $post_id The post id.
+ * @param   array          $field   The field array.
  * @return  mixed
  */
 function acf_get_value( $post_id, $field ) {
@@ -134,45 +134,47 @@ acf_add_filter_variations( 'acf/load_value', array( 'type', 'name', 'key' ), 2 )
  *
  * Returns a formatted version of the provided value.
  *
- * @date    28/09/13
  * @since   5.0.0
  *
- * @param   mixed        $value The field value.
- * @param   (int|string) $post_id The post id.
- * @param   array        $field The field array.
- * @return  mixed.
+ * @param mixed          $value     The field value.
+ * @param integer|string $post_id   The post id.
+ * @param array          $field     The field array.
+ * @param boolean        $escape_html Ask the field for a HTML safe version of it's output.
+ * @return mixed
  */
-function acf_format_value( $value, $post_id, $field ) {
+function acf_format_value( $value, $post_id, $field, $escape_html = false ) {
 
 	// Allow filter to short-circuit load_value logic.
-	$check = apply_filters( 'acf/pre_format_value', null, $value, $post_id, $field );
+	$check = apply_filters( 'acf/pre_format_value', null, $value, $post_id, $field, $escape_html );
 	if ( $check !== null ) {
 		return $check;
 	}
 
 	// Get field name.
 	$field_name = $field['name'];
+	$cache_name = $escape_html ? "$post_id:$field_name:escaped" : "$post_id:$field_name:formatted";
 
 	// Check store.
 	$store = acf_get_store( 'values' );
-	if ( $store->has( "$post_id:$field_name:formatted" ) ) {
-		return $store->get( "$post_id:$field_name:formatted" );
+	if ( $store->has( $cache_name ) ) {
+		return $store->get( $cache_name );
 	}
 
 	/**
 	 * Filters the $value for use in a template function.
 	 *
-	 * @date    28/09/13
 	 * @since   5.0.0
 	 *
-	 * @param   mixed $value The value to preview.
-	 * @param   string $post_id The post ID for this value.
-	 * @param   array $field The field array.
+	 * @param mixed   $value       The value to preview.
+	 * @param string  $post_id     The post ID for this value.
+	 * @param array   $field       The field array.
+	 * @param boolean $escape_html Ask the field for a HTML safe version of it's output.
+	 *                             This parameter will not guarantee the result is escaped, only if the field type supports it.
 	 */
-	$value = apply_filters( 'acf/format_value', $value, $post_id, $field );
+	$value = apply_filters( 'acf/format_value', $value, $post_id, $field, $escape_html );
 
 	// Update store.
-	$store->set( "$post_id:$field_name:formatted", $value );
+	$store->set( $cache_name, $value );
 
 	// Return value.
 	return $value;
@@ -189,10 +191,10 @@ acf_add_filter_variations( 'acf/format_value', array( 'type', 'name', 'key' ), 2
  * @date    28/09/13
  * @since   5.0.0
  *
- * @param   mixed        $value The new value.
+ * @param   mixed        $value   The new value.
  * @param   (int|string) $post_id The post id.
- * @param   array        $field The field array.
- * @return  bool.
+ * @param   array        $field   The field array.
+ * @return  boolean
  */
 function acf_update_value( $value, $post_id, $field ) {
 
@@ -271,7 +273,7 @@ function acf_update_values( $values, $post_id ) {
  * @date    22/1/19
  * @since   5.7.10
  *
- * @param   (int|string) $post_id The post id.
+ * @param   (int|string) $post_id    The post id.
  * @param   string       $field_name The field name.
  * @return  void
  */
@@ -280,7 +282,8 @@ function acf_flush_value_cache( $post_id = 0, $field_name = '' ) {
 	// Delete stored data.
 	acf_get_store( 'values' )
 		->remove( "$post_id:$field_name" )
-		->remove( "$post_id:$field_name:formatted" );
+		->remove( "$post_id:$field_name:formatted" )
+		->remove( "$post_id:$field_name:escaped" );
 }
 
 /**
@@ -292,8 +295,8 @@ function acf_flush_value_cache( $post_id = 0, $field_name = '' ) {
  * @since   5.0.0
  *
  * @param   (int|string) $post_id The post id.
- * @param   array        $field The field array.
- * @return  bool.
+ * @param   array        $field   The field array.
+ * @return  boolean
  */
 function acf_delete_value( $post_id, $field ) {
 
@@ -333,10 +336,10 @@ acf_add_filter_variations( 'acf/delete_value', array( 'type', 'name', 'key' ), 2
  * @date    28/09/13
  * @since   5.0.0
  *
- * @param   mixed        $value The new value.
+ * @param   mixed        $value   The new value.
  * @param   (int|string) $post_id The post id.
- * @param   array        $field The field array.
- * @return  bool.
+ * @param   array        $field   The field array.
+ * @return  boolean
  */
 function acf_preview_value( $value, $post_id, $field ) {
 

includes/admin/admin.php

@@ -11,18 +11,17 @@ if ( ! class_exists( 'ACF_Admin' ) ) :
 		/**
 		 * Constructor.
 		 *
-		 * @date    23/06/12
-		 * @since   5.0.0
+		 * @since 5.0.0
 		 *
-		 * @param   void
-		 * @return  void
+		 * @return void
 		 */
-		function __construct() {
-			// Add actions.
+		public function __construct() {
 			add_action( 'admin_menu', array( $this, 'admin_menu' ) );
 			add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_scripts' ) );
 			add_action( 'admin_body_class', array( $this, 'admin_body_class' ) );
 			add_action( 'current_screen', array( $this, 'current_screen' ) );
+			add_action( 'admin_notices', array( $this, 'maybe_show_escaped_html_notice' ) );
+			add_action( 'wp_ajax_acf/dismiss_escaped_html_notice', array( $this, 'dismiss_escaped_html_notice' ) );
 			add_filter( 'parent_file', array( $this, 'ensure_menu_selection' ) );
 			add_filter( 'submenu_file', array( $this, 'ensure_submenu_selection' ) );
 		}
@@ -51,14 +50,23 @@ if ( ! class_exists( 'ACF_Admin' ) ) :
 		/**
 		 * Enqueues global admin styling.
 		 *
-		 * @date    28/09/13
 		 * @since   5.0.0
 		 *
-		 * @param   void
-		 * @return  void
+		 * @return void
 		 */
-		function admin_enqueue_scripts() {
+		public function admin_enqueue_scripts() {
 			wp_enqueue_style( 'acf-global' );
+			wp_enqueue_script( 'acf-escaped-html-notice' );
+
+			wp_localize_script(
+				'acf-escaped-html-notice',
+				'acf_escaped_html_notice',
+				array(
+					'nonce'        => wp_create_nonce( 'acf/dismiss_escaped_html_notice' ),
+					'show_details' => __( 'Show details', 'acf' ),
+					'hide_details' => __( 'Hide details', 'acf' ),
+				)
+			);
 		}
 
 		/**
@@ -199,6 +207,63 @@ if ( ! class_exists( 'ACF_Admin' ) ) :
 			acf_add_admin_notice( $text, 'success', true, true );
 		}
 
+		/**
+		 * Notifies the user that fields rendered via shortcode or the_field() have
+		 * had HTML removed/altered due to unsafe HTML being escaped.
+		 *
+		 * @since 6.2.5
+		 *
+		 * @return void
+		 */
+		public function maybe_show_escaped_html_notice() {
+			// Only show to editors and above.
+			if ( ! current_user_can( 'edit_others_posts' ) ) {
+				return;
+			}
+
+			// Allow opting-out of the notice.
+			if ( apply_filters( 'acf/admin/prevent_escaped_html_notice', false ) ) {
+				return;
+			}
+
+			$escaped = _acf_get_escaped_html_log();
+
+			// Notice for when HTML has already been escaped.
+			if ( ! empty( $escaped ) ) {
+				acf_get_view( 'escaped-html-notice', array( 'acf_escaped' => $escaped ) );
+			}
+
+			// Throw a separate notice for HTML that will be escaped in future releases.
+			if ( ! apply_filters( 'acf/the_field/escape_html_optin', false ) ) {
+				$will_escape = _acf_get_will_escape_html_log();
+
+				if ( ! empty( $will_escape ) ) {
+					acf_get_view( 'escaped-html-notice', array( 'acf_will_escape' => $will_escape ) );
+				}
+			}
+		}
+
+		/**
+		 * Dismisses the escaped unsafe HTML notice by clearing the stored log.
+		 *
+		 * @since 6.2.5
+		 */
+		public function dismiss_escaped_html_notice() {
+			if (
+				! check_admin_referer( 'acf/dismiss_escaped_html_notice', 'nonce' ) ||
+				! current_user_can( acf_get_setting( 'capability' ) ) ) {
+				return;
+			}
+
+			$to_dismiss = acf_request_arg( 'notice', 'escaped_html' );
+
+			if ( 'escaped_html' === $to_dismiss ) {
+				_acf_delete_escaped_html_log();
+			} else {
+				_acf_delete_will_escape_html_log();
+			}
+		}
+
 		/**
 		 * Renders the admin navigation element.
 		 *

includes/admin/views/escaped-html-notice.php

@@ -0,0 +1,70 @@
+<?php
+
+$acf_plugin_name      = acf_is_pro() ? 'ACF PRO' : 'ACF';
+$acf_plugin_name      = '<strong>' . $acf_plugin_name . ' &mdash;</strong>';
+$acf_learn_how_to_fix = '<a href="' . acf_add_url_utm_tags( 'https://www.advancedcustomfields.com/escaping-the-field/', 'docs', '6-2-5-security-changes' ) . '" target="_blank">' . __( 'Learn how to fix', 'acf' ) . '</a>';
+$acf_class            = '';
+$acf_user_can_acf     = false;
+
+if ( current_user_can( acf_get_setting( 'capability' ) ) ) {
+	$acf_user_can_acf = true;
+	$acf_show_details = ' <a class="acf-show-more-details" href="#">' . __( 'Show details', 'acf' ) . '</a>';
+	$acf_class        = ' is-dismissible';
+} else {
+	$acf_show_details = __( 'Please contact your site admin for more details.', 'acf' );
+}
+
+if ( ! empty( $acf_will_escape ) ) {
+	$acf_escaped   = $acf_will_escape;
+	$acf_class    .= ' notice-warning acf-will-escape';
+	$acf_error_msg = sprintf(
+		/* translators: %1$s - name of the ACF plugin. %2$s - Link to documentation. %3$s - Link to show more details about the error */
+		__( '%1$s ACF will soon escape unsafe HTML that is rendered by <code>the_field()</code>. We\'ve detected the output of some of your fields will be modified by this change. %2$s. %3$s', 'acf' ),
+		$acf_plugin_name,
+		$acf_learn_how_to_fix,
+		$acf_show_details
+	);
+} else {
+	$acf_class .= ' notice-error';
+
+	if ( apply_filters( 'acf/the_field/escape_html_optin', false ) ) {
+		$acf_error_msg = sprintf(
+		/* translators: %1$s - name of the ACF plugin. %2$s - Link to documentation. %3$s - Link to show more details about the error */
+			__( '%1$s ACF now automatically escapes unsafe HTML when rendered by <code>the_field</code> or the ACF shortcode. We\'ve detected the output of some of your fields will be modified by this change. %2$s. %3$s', 'acf' ),
+			$acf_plugin_name,
+			$acf_learn_how_to_fix,
+			$acf_show_details
+		);
+	} else {
+		$acf_error_msg = sprintf(
+		/* translators: %1$s - name of the ACF plugin. %2$s - Link to documentation. %3$s - Link to show more details about the error */
+			__( '%1$s ACF now automatically escapes unsafe HTML when rendered by the ACF shortcode. We\'ve detected the output of some of your fields will be modified by this change. %2$s. %3$s', 'acf' ),
+			$acf_plugin_name,
+			$acf_learn_how_to_fix,
+			$acf_show_details
+		);
+	}
+}
+
+
+?>
+<div class="acf-admin-notice notice acf-escaped-html-notice<?php echo esc_attr( $acf_class ); ?>">
+	<p><?php echo acf_esc_html( $acf_error_msg ); ?></p>
+	<?php if ( $acf_user_can_acf && ! empty( $acf_escaped ) ) : ?>
+	<ul class="acf-error-details" style="display: none; list-style: disc; margin-left: 14px;">
+		<?php
+		foreach ( $acf_escaped as $acf_field_key => $acf_data ) {
+			$acf_error = sprintf(
+				/* translators: %1$s - The selector used  %2$s The field name  3%$s The parent function name */
+				__( '%1$s (%2$s) - rendered via %3$s', 'acf' ),
+				$acf_data['selector'],
+				$acf_data['field'],
+				$acf_data['function']
+			);
+
+			echo '<li>' . esc_html( $acf_error ) . '</li>';
+		}
+		?>
+	</ul>
+	<?php endif; ?>
+</div>

includes/api/api-template.php

@@ -1,23 +1,22 @@
 <?php
 
-/*
-*  get_field()
-*
-*  This function will return a custom field value for a specific field name/key + post_id.
-*  There is a 3rd parameter to turn on/off formating. This means that an image field will not use
-*  its 'return option' to format the value but return only what was saved in the database
-*
-*  @type    function
-*  @since   3.6
-*  @date    29/01/13
-*
-*  @param   $selector (string) the field name or key
-*  @param   $post_id (mixed) the post_id of which the value is saved against
-*  @param   $format_value (boolean) whether or not to format the value as described above
-*  @return  (mixed)
-*/
-
-function get_field( $selector, $post_id = false, $format_value = true ) {
+/**
+ *  get_field()
+ *
+ *  This function will return a custom field value for a specific field name/key + post_id.
+ *  There is a 3rd parameter to turn on/off formating. This means that an image field will not use
+ *  its 'return option' to format the value but return only what was saved in the database
+ *
+ * @since   3.6
+ *
+ * @param string  $selector     The field name or key.
+ * @param mixed   $post_id      The post_id of which the value is saved against.
+ * @param boolean $format_value Whether or not to format the value as described above.
+ * @param boolean $escape_html  If we're formatting the value, should we also ask the field to escape it for unsafe html.
+ *                              This parameter will not guarantee the result is escaped, only if the field type supports it.
+ * @return  mixed
+ */
+function get_field( $selector, $post_id = false, $format_value = true, $escape_html = false ) {
 
 	// filter post_id
 	$post_id = acf_get_valid_post_id( $post_id );
@@ -46,7 +45,7 @@ function get_field( $selector, $post_id = false, $format_value = true ) {
 	if ( $format_value ) {
 
 		// get value for field
-		$value = acf_format_value( $value, $post_id, $field );
+		$value = acf_format_value( $value, $post_id, $field, $escape_html );
 	}
 
 	// return
@@ -56,37 +55,227 @@ function get_field( $selector, $post_id = false, $format_value = true ) {
 /**
  *  This function is the same as echo get_field().
  *
- *  @since   1.0.3
- *  @date    29/01/13
+ * @since   1.0.3
+ * @date    29/01/13
  *
- *  @param string $selector The field name or key.
- *  @param mixed  $post_id  The post_id of which the value is saved against.
- *  @return  void
+ * @param string  $selector     The field name or key.
+ * @param mixed   $post_id      The post_id of which the value is saved against.
+ * @param boolean $format_value Enable formatting of value.
+ * @return  void
  */
 function the_field( $selector, $post_id = false, $format_value = true ) {
-	$value = get_field( $selector, $post_id, $format_value );
+	$field = get_field_object( $selector, $post_id, $format_value, true, false );
+	$value = $field ? $field['value'] : get_field( $selector, $post_id, $format_value, false );
 
 	if ( is_array( $value ) ) {
 		$value = implode( ', ', $value );
 	}
 
-	echo $value;
+	// If we're not a scalar we'd throw an error, so return early for safety.
+	if ( ! is_scalar( $value ) ) {
+		return;
+	}
+
+	$field_type              = is_array( $field ) && isset( $field['type'] ) ? $field['type'] : 'text';
+	$field_type_escapes_html = acf_field_type_supports( $field_type, 'escaping_html' );
+
+	if ( ! apply_filters( 'acf/the_field/allow_unsafe_html', false, $selector, $post_id, $field_type, $field ) ) {
+		/*
+		 * If the field is compatible with generating a html safe version, use it, otherwise run the value through acf_esc_html.
+		 *
+		 * This logic become default in an upcoming release of ACF, where we will always ask for a html safe version regardless of support
+		 * then additionally run `acf_esc_html` if the field type is not marked as supporting `escaping_html`.
+		 */
+
+		if ( $field_type_escapes_html ) {
+			$new_value = get_field( $selector, $post_id, $format_value, true );
+
+			if ( is_array( $new_value ) ) {
+				$new_value = implode( ', ', $new_value );
+			}
+		} else {
+			$new_value = acf_esc_html( $value );
+		}
+
+		if ( (string) $value !== (string) $new_value ) {
+			if ( apply_filters( 'acf/the_field/escape_html_optin', false ) ) {
+				$value = $new_value;
+				do_action( 'acf/removed_unsafe_html', __FUNCTION__, $selector, $field, $post_id );
+			} else {
+				do_action( 'acf/will_remove_unsafe_html', __FUNCTION__, $selector, $field, $post_id );
+			}
+		}
+		unset( $new_value );
+	}
+
+	echo $value; //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- escaped by logic above.
+}
+
+/**
+ * Logs instances of ACF successfully escaping unsafe HTML.
+ *
+ * @since 6.2.5
+ *
+ * @param string $function The function that resulted in HTML being escaped.
+ * @param string $selector The selector (field key, name, etc.) passed to that function.
+ * @param array  $field    The field being queried when HTML was escaped.
+ * @param mixed  $post_id  The post ID the function was called on.
+ * @return void
+ */
+function _acf_log_escaped_html( $function, $selector, $field, $post_id ) {
+	// If the notice isn't shown, no use in logging the errors.
+	if ( apply_filters( 'acf/admin/prevent_escaped_html_notice', false ) ) {
+		return;
+	}
+
+	$escaped = _acf_get_escaped_html_log();
+
+	// Only store up to 100 results at a time.
+	if ( count( $escaped ) >= 100 ) {
+		return;
+	}
+
+	// Bail if we already logged an error for this field.
+	if ( isset( $escaped[ $field['key'] ] ) ) {
+		return;
+	}
+
+	$escaped[ $field['key'] ] = array(
+		'selector' => $selector,
+		'function' => $function,
+		'field'    => $field['label'],
+		'post_id'  => $post_id,
+	);
+
+	_acf_update_escaped_html_log( $escaped );
+}
+add_action( 'acf/removed_unsafe_html', '_acf_log_escaped_html', 10, 4 );
+
+/**
+ * Logs instances of where ACF will soon escape HTML using the_field.
+ *
+ * @since 6.2.5
+ *
+ * @param string $function The function that resulted in HTML being escaped.
+ * @param string $selector The selector (field key, name, etc.) passed to that function.
+ * @param array  $field    The field being queried when HTML was escaped.
+ * @param mixed  $post_id  The post ID the function was called on.
+ * @return void
+ */
+function _acf_log_will_escape_html( $function, $selector, $field, $post_id ) {
+	// If the notice isn't shown, no use in logging the errors.
+	if ( apply_filters( 'acf/admin/prevent_escaped_html_notice', false ) ) {
+		return;
+	}
+
+	$will_escape = _acf_get_will_escape_html_log();
+
+	// Only store up to 100 results at a time.
+	if ( count( $will_escape ) >= 100 ) {
+		return;
+	}
+
+	// Bail if we already logged an error for this field.
+	if ( isset( $will_escape[ $field['key'] ] ) ) {
+		return;
+	}
+
+	$will_escape[ $field['key'] ] = array(
+		'selector' => $selector,
+		'function' => $function,
+		'field'    => $field['name'],
+		'post_id'  => $post_id,
+	);
+
+	_acf_update_will_escape_html_log( $will_escape );
+}
+add_action( 'acf/will_remove_unsafe_html', '_acf_log_will_escape_html', 10, 4 );
+
+/**
+ * Returns an array of instances where HTML was altered due to escaping in the_field or a shortcode.
+ *
+ * @since 6.2.5
+ *
+ * @return array
+ */
+function _acf_get_escaped_html_log() {
+	$escaped = get_option( 'acf_escaped_html_log', array() );
+	return is_array( $escaped ) ? $escaped : array();
+}
+
+/**
+ * Updates the array of instances where HTML was altered due to escaping in the_field or a shortcode.
+ *
+ * @since 6.2.5
+ *
+ * @param array $escaped The array of instances.
+ * @return boolean True on success, or false on failure.
+ */
+function _acf_update_escaped_html_log( $escaped = array() ) {
+	return update_option( 'acf_escaped_html_log', (array) $escaped, true );
+}
+
+/**
+ * Deletes the array of instances where HTML was altered due to escaping in the_field or a shortcode.
+ *
+ * @since 6.2.5
+ *
+ * @return boolean True on success, or false on failure.
+ */
+function _acf_delete_escaped_html_log() {
+	return delete_option( 'acf_escaped_html_log' );
+}
+
+/**
+ * Returns an array of instances where HTML will be escaped in the_field().
+ *
+ * @since 6.2.5
+ *
+ * @return array
+ */
+function _acf_get_will_escape_html_log() {
+	$will_escape = get_option( 'acf_will_escape_html_log', array() );
+	return is_array( $will_escape ) ? $will_escape : array();
+}
+
+/**
+ * Updates the array of instances where HTML will be escaped in the_field().
+ *
+ * @since 6.2.5
+ *
+ * @param array $escaped The array of instances.
+ * @return boolean True on success, or false on failure.
+ */
+function _acf_update_will_escape_html_log( $escaped = array() ) {
+	return update_option( 'acf_will_escape_html_log', (array) $escaped, true );
+}
+
+/**
+ * Deletes the array of instances where HTML will be escaped in the_field().
+ *
+ * @since 6.2.5
+ *
+ * @return boolean True on success, or false on failure.
+ */
+function _acf_delete_will_escape_html_log() {
+	return delete_option( 'acf_will_escape_html_log' );
 }
 
 /**
  * This function will return an array containing all the field data for a given field_name.
  *
  * @since 3.6
- * @date  3/02/13
  *
- * @param string $selector     The field name or key.
- * @param mixed  $post_id      The post_id of which the value is saved against.
- * @param bool   $format_value Whether to format the field value.
- * @param bool   $load_value   Whether to load the field value.
+ * @param string  $selector     The field name or key.
+ * @param mixed   $post_id      The post_id of which the value is saved against.
+ * @param boolean $format_value Whether to format the field value.
+ * @param boolean $load_value   Whether to load the field value.
+ * @param boolean $escape_html  Should the field return a HTML safe formatted value if $format_value is true.
+ *                              This parameter will not guarantee the result is escaped, only if the field type supports it.
  *
  * @return array|false $field
  */
-function get_field_object( $selector, $post_id = false, $format_value = true, $load_value = true ) {
+function get_field_object( $selector, $post_id = false, $format_value = true, $load_value = true, $escape_html = false ) {
 	// Compatibility with ACF ~4.
 	if ( is_array( $format_value ) && isset( $format_value['format_value'] ) ) {
 		$format_value = $format_value['format_value'];
@@ -104,7 +293,7 @@ function get_field_object( $selector, $post_id = false, $format_value = true, $l
 	}
 
 	if ( $format_value ) {
-		$field['value'] = acf_format_value( $field['value'], $post_id, $field );
+		$field['value'] = acf_format_value( $field['value'], $post_id, $field, $escape_html );
 	}
 
 	return $field;
@@ -244,23 +433,20 @@ function get_fields( $post_id = false, $format_value = true ) {
 }
 
 
-/*
-*  get_field_objects()
-*
-*  This function will return an array containing all the custom field objects for a specific post_id.
-*  The function is not very elegant and wastes a lot of PHP memory / SQL queries if you are not using all the fields / values.
-*
-*  @type    function
-*  @since   3.6
-*  @date    29/01/13
-*
-*  @param   $post_id (mixed) the post_id of which the value is saved against
-*  @param   $format_value (boolean) whether or not to format the field value
-*  @param   $load_value (boolean) whether or not to load the field value
-*  @return  (array) associative array where field name => field
-*/
-
-function get_field_objects( $post_id = false, $format_value = true, $load_value = true ) {
+/**
+ * This function will return an array containing all the custom field objects for a specific post_id.
+ * The function is not very elegant and wastes a lot of PHP memory / SQL queries if you are not using all the fields / values.
+ *
+ * @since 3.6
+ *
+ * @param mixed   $post_id      The post_id of which the value is saved against.
+ * @param boolean $format_value Whether or not to format the field value.
+ * @param boolean $load_value   Whether or not to load the field value.
+ * @param boolean $escape_html  Should the field return a HTML safe formatted value if $format_value is true.
+ *                              This parameter will not guarantee the result is escaped, only if the field type supports it.
+ * @return array associative array where field name => field
+ */
+function get_field_objects( $post_id = false, $format_value = true, $load_value = true, $escape_html = false ) {
 
 	// init
 	acf_init();
@@ -301,7 +487,7 @@ function get_field_objects( $post_id = false, $format_value = true, $load_value
 
 		// format value
 		if ( $format_value ) {
-			$field['value'] = acf_format_value( $field['value'], $post_id, $field );
+			$field['value'] = acf_format_value( $field['value'], $post_id, $field, $escape_html );
 		}
 
 		// append to $value
@@ -705,47 +891,78 @@ function get_sub_field( $selector = '', $format_value = true ) {
 }
 
 
-/*
-*  the_sub_field()
-*
-*  This function is the same as echo get_sub_field
-*
-*  @type    function
-*  @since   1.0.3
-*  @date    29/01/13
-*
-*  @param   $field_name (string) the field name
-*  @return  n/a
-*/
-
+/**
+ * This function is the same as echo get_sub_field
+ *
+ * @since   1.0.3
+ *
+ * @param string  $field_name   The field name.
+ * @param boolean $format_value Format the value before output.
+ */
 function the_sub_field( $field_name, $format_value = true ) {
-
-	$value = get_sub_field( $field_name, $format_value );
+	$field = get_sub_field_object( $field_name, $format_value );
+	$value = ( is_array( $field ) && isset( $field['value'] ) ) ? $field['value'] : false;
 
 	if ( is_array( $value ) ) {
 		$value = implode( ', ', $value );
 	}
 
+	// If we're not a scalar we'd throw an error, so return early for safety.
+	if ( ! is_scalar( $value ) ) {
+		return;
+	}
+
+	$field_type              = is_array( $field ) && isset( $field['type'] ) ? $field['type'] : 'text';
+	$field_type_escapes_html = acf_field_type_supports( $field_type, 'escaping_html' );
+
+	if ( ! apply_filters( 'acf/the_field/allow_unsafe_html', false, $field_name, 'sub_field', $field_type, $field ) ) {
+		/*
+		 * If the field is compatible with generating a html safe version, use it, otherwise run the value through acf_esc_html.
+		 *
+		 * This logic become default in an upcoming release of ACF, where we will always ask for a html safe version regardless of support
+		 * then additionally run `acf_esc_html` if the field type is not marked as supporting `escaping_html`.
+		 */
+
+		if ( $field_type_escapes_html ) {
+			$field     = get_sub_field_object( $field_name, $format_value, true, true );
+			$new_value = ( is_array( $field ) && isset( $field['value'] ) ) ? $field['value'] : false;
+
+			if ( is_array( $new_value ) ) {
+				$new_value = implode( ', ', $new_value );
+			}
+		} else {
+			$new_value = acf_esc_html( $value );
+		}
+
+		if ( (string) $value !== (string) $new_value ) {
+			if ( apply_filters( 'acf/the_field/escape_html_optin', false ) ) {
+				$value = $new_value;
+				do_action( 'acf/removed_unsafe_html', __FUNCTION__, $field_name, $field, false );
+			} else {
+				do_action( 'acf/will_remove_unsafe_html', __FUNCTION__, $field_name, $field, false );
+			}
+		}
+		unset( $new_value );
+	}
+
 	echo $value;
 }
 
 
-/*
-*  get_sub_field_object()
-*
-*  This function is used inside a 'has_sub_field' while loop to return a sub field object
-*
-*  @type    function
-*  @since   3.5.8.1
-*  @date    29/01/13
-*
-*  @param   $child_name (string) the field name
-*  @return  (array)
-*/
+/**
+ * This function is used inside a 'has_sub_field' while loop to return a sub field object
+ *
+ * @since 3.5.8.1
+ *
+ * @param string  $selector     The field name or key.
+ * @param boolean $format_value Whether to format the field value.
+ * @param boolean $load_value   Whether to load the field value.
+ * @param boolean $escape_html  Should the field return a HTML safe formatted value.
+ *                              This parameter will not guarantee the result is escaped, only if the field type supports it.
+ * @return mixed
+ */
+function get_sub_field_object( $selector, $format_value = true, $load_value = true, $escape_html = false ) {
 
-function get_sub_field_object( $selector, $format_value = true, $load_value = true ) {
-
-	// vars
 	$row = acf_get_loop( 'active' );
 
 	// bail early if no row
@@ -768,9 +985,8 @@ function get_sub_field_object( $selector, $format_value = true, $load_value = tr
 
 	// format value
 	if ( $format_value ) {
-
 		// get value for field
-		$sub_field['value'] = acf_format_value( $sub_field['value'], $row['post_id'], $sub_field );
+		$sub_field['value'] = acf_format_value( $sub_field['value'], $row['post_id'], $sub_field, $escape_html );
 	}
 
 	// return
@@ -859,8 +1075,9 @@ function acf_shortcode( $atts ) {
 		add_filter( 'acf/prevent_access_to_unknown_fields', '__return_true' );
 	}
 
-	// Try to get the field value.
-	$value = get_field( $atts['field'], $atts['post_id'], $atts['format_value'] );
+	// Try to get the field value, ensuring any non-safe HTML is stripped from wysiwyg fields via `acf_the_content`
+	$field = get_field_object( $atts['field'], $atts['post_id'], $atts['format_value'], true, true );
+	$value = $field ? $field['value'] : get_field( $atts['field'], $atts['post_id'], $atts['format_value'], true );
 
 	if ( $filter_applied ) {
 		remove_filter( 'acf/prevent_access_to_unknown_fields', '__return_true' );
@@ -870,6 +1087,29 @@ function acf_shortcode( $atts ) {
 		$value = implode( ', ', $value );
 	}
 
+	$field_type              = is_array( $field ) && isset( $field['type'] ) ? $field['type'] : 'text';
+	$field_type_escapes_html = acf_field_type_supports( $field_type, 'escaping_html' );
+
+	// Temporarily always get the unescaped version for action comparison.
+	$unescaped_value = get_field( $atts['field'], $atts['post_id'], $atts['format_value'], false );
+
+	if ( is_array( $unescaped_value ) ) {
+		$unescaped_value = implode( ', ', $unescaped_value );
+	}
+
+	// Handle getting the unescaped version if we're allowed unsafe html.
+	if ( apply_filters( 'acf/shortcode/allow_unsafe_html', false, $atts, $field_type, $field ) ) {
+		$value = $unescaped_value;
+	} else {
+		if ( ! $field_type_escapes_html ) {
+			$value = acf_esc_html( $value );
+		}
+
+		if ( (string) $value !== (string) $unescaped_value ) {
+			do_action( 'acf/removed_unsafe_html', __FUNCTION__, $atts['field'], $field, $atts['post_id'] );
+		}
+	}
+
 	return $value;
 }
 add_shortcode( 'acf', 'acf_shortcode' );

includes/assets.php

@@ -115,6 +115,7 @@ if ( ! class_exists( 'ACF_Assets' ) ) :
 			wp_register_script( 'acf-input', acf_get_url( 'assets/build/js/acf-input' . $suffix . '.js' ), array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-resizable', 'acf' ), $version );
 			wp_register_script( 'acf-field-group', acf_get_url( 'assets/build/js/acf-field-group' . $suffix . '.js' ), array( 'acf-input' ), $version );
 			wp_register_script( 'acf-internal-post-type', acf_get_url( 'assets/build/js/acf-internal-post-type' . $suffix . '.js' ), array( 'acf-input' ), $version );
+			wp_register_script( 'acf-escaped-html-notice', acf_get_url( 'assets/build/js/acf-escaped-html-notice' . $suffix . '.js' ), array( 'jquery' ), $version, true );
 
 			// Register styles.
 			wp_register_style( 'acf-global', acf_get_url( 'assets/build/css/acf-global.css' ), array( 'dashicons' ), $version );

includes/fields.php

@@ -319,6 +319,24 @@ function acf_get_field_type_label( $name = '' ) {
 	return $label ? $label : '<span class="acf-tooltip-js" title="' . __( 'Field type does not exist', 'acf' ) . '">' . __( 'Unknown', 'acf' ) . '</span>';
 }
 
+/**
+ * Returns the value of a field type "supports" property.
+ *
+ * @since 6.2.5
+ *
+ * @param string $name The name of the field type.
+ * @param string $prop The name of the supports property.
+ *
+ * @return mixed The value of the supports property which may be false, or false on failure.
+ */
+function acf_field_type_supports( $name = '', $prop = '' ) {
+	$supports = acf_get_field_type_prop( $name, 'supports' );
+	if ( ! is_array( $supports ) ) {
+		return false;
+	}
+	return isset( $supports[ $prop ] ) ? $supports[ $prop ] : false;
+}
+
 
 /*
 *  acf_field_type_exists (deprecated)

includes/fields/class-acf-field-group.php

@@ -108,24 +108,20 @@ if ( ! class_exists( 'acf_field__group' ) ) :
 		}
 
 
-		/*
-		*  format_value()
-		*
-		*  This filter is appied to the $value after it is loaded from the db and before it is returned to the template
-		*
-		*  @type    filter
-		*  @since   3.6
-		*  @date    23/01/13
-		*
-		*  @param   $value (mixed) the value which was loaded from the database
-		*  @param   $post_id (mixed) the $post_id from which the value was loaded
-		*  @param   $field (array) the field array holding all the field options
-		*
-		*  @return  $value (mixed) the modified value
-		*/
-
-		function format_value( $value, $post_id, $field ) {
-
+		/**
+		 * This filter is appied to the $value after it is loaded from the db and before it is returned to the template
+		 *
+		 * @type    filter
+		 * @since   3.6
+		 *
+		 * @param mixed   $value       The value which was loaded from the database.
+		 * @param mixed   $post_id     The $post_id from which the value was loaded.
+		 * @param array   $field       The field array holding all the field options.
+		 * @param boolean $escape_html Should the field return a HTML safe formatted value.
+		 *
+		 * @return mixed the modified value
+		 */
+		public function format_value( $value, $post_id, $field, $escape_html = false ) {
 			// bail early if no value
 			if ( empty( $value ) ) {
 				return false;
@@ -141,7 +137,7 @@ if ( ! class_exists( 'acf_field__group' ) ) :
 				$sub_value = acf_extract_var( $value, $sub_field['key'] );
 
 				// format value
-				$sub_value = acf_format_value( $sub_value, $post_id, $sub_field );
+				$sub_value = acf_format_value( $sub_value, $post_id, $sub_field, $escape_html );
 
 				// append to $row
 				$value[ $sub_field['_name'] ] = $sub_value;

includes/fields/class-acf-field-oembed.php

@@ -28,11 +28,14 @@ if ( ! class_exists( 'acf_field_oembed' ) ) :
 			$this->preview_image = acf_get_url() . '/assets/images/field-type-previews/field-preview-oembed.png';
 			$this->doc_url       = acf_add_url_utm_tags( 'https://www.advancedcustomfields.com/resources/oembed/', 'docs', 'field-type-selection' );
 			$this->defaults      = array(
-				'width'  => '',
-				'height' => '',
+				'width'     => '',
+				'height'    => '',
 			);
 			$this->width         = 640;
 			$this->height        = 390;
+			$this->supports      = array(
+				'escaping_html' => true, // The OEmbed field only produces html safe content from format_value.
+			);
 
 			// extra
 			add_action( 'wp_ajax_acf/fields/oembed/search', array( $this, 'ajax_query' ) );
@@ -281,19 +284,16 @@ if ( ! class_exists( 'acf_field_oembed' ) ) :
 		}
 
 		/**
-		 *  format_value()
+		 * This filter is appied to the $value after it is loaded from the db and before it is returned to the template.
 		 *
-		 *  This filter is appied to the $value after it is loaded from the db and before it is returned to the template
+		 * @type    filter
+		 * @since   3.6
 		 *
-		 *  @type    filter
-		 *  @since   3.6
-		 *  @date    23/01/13
+		 * @param mixed $value   The value which was loaded from the database.
+		 * @param mixed $post_id The $post_id from which the value was loaded.
+		 * @param array $field   The field array holding all the field options.
 		 *
-		 *  @param   $value (mixed) the value which was loaded from the database
-		 *  @param   $post_id (mixed) the post_id from which the value was loaded
-		 *  @param   $field (array) the field array holding all the field options
-		 *
-		 *  @return  $value (mixed) the modified value
+		 * @return mixed the modified value
 		 */
 		function format_value( $value, $post_id, $field ) {
 			// bail early if no value

includes/fields/class-acf-field-wysiwyg.php

@@ -34,6 +34,9 @@ if ( ! class_exists( 'acf_field_wysiwyg' ) ) :
 				'default_value' => '',
 				'delay'         => 0,
 			);
+			$this->supports      = array(
+				'escaping_html' => true,
+			);
 
 			// add acf_the_content filters
 			$this->add_filters();
@@ -387,28 +390,35 @@ if ( ! class_exists( 'acf_field_wysiwyg' ) ) :
 				)
 			);
 		}
-
 		/**
 		 * This filter is applied to the $value after it is loaded from the db, and before it is returned to the template
 		 *
 		 * @type    filter
 		 * @since   3.6
-		 * @date    23/01/13
 		 *
-		 * @param mixed $value   The value which was loaded from the database
-		 * @param mixed $post_id The $post_id from which the value was loaded
-		 * @param array $field   The field array holding all the field options
+		 * @param mixed   $value       The value which was loaded from the database.
+		 * @param mixed   $post_id     The $post_id from which the value was loaded.
+		 * @param array   $field       The field array holding all the field options.
+		 * @param boolean $escape_html Should the field return a HTML safe formatted value.
 		 *
 		 * @return mixed $value The modified value
 		 */
-		function format_value( $value, $post_id, $field ) {
+		public function format_value( $value, $post_id, $field, $escape_html ) {
 			// Bail early if no value or not a string.
 			if ( empty( $value ) || ! is_string( $value ) ) {
 				return $value;
 			}
 
+			if ( $escape_html ) {
+				add_filter( 'acf_the_content', 'acf_esc_html', 1 );
+			}
+
 			$value = apply_filters( 'acf_the_content', $value );
 
+			if ( $escape_html ) {
+				remove_filter( 'acf_the_content', 'acf_esc_html', 1 );
+			}
+
 			// Follow the_content function in /wp-includes/post-template.php
 			return str_replace( ']]>', ']]>', $value );
 		}

includes/fields/class-acf-field.php

@@ -17,6 +17,9 @@ if ( ! class_exists( 'acf_field' ) ) :
 		public $l10n          = array();
 		public $public        = true;
 		public $show_in_rest  = true;
+		public $supports      = array(
+			'escaping_html' => false, // Set true when a field handles its own HTML escaping in format_value
+		);
 
 		/*
 		*  __construct
@@ -54,7 +57,7 @@ if ( ! class_exists( 'acf_field' ) ) :
 			// value
 			$this->add_field_filter( 'acf/load_value', array( $this, 'load_value' ), 10, 3 );
 			$this->add_field_filter( 'acf/update_value', array( $this, 'update_value' ), 10, 3 );
-			$this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 3 );
+			$this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 4 );
 			$this->add_field_filter( 'acf/validate_value', array( $this, 'validate_value' ), 10, 4 );
 			$this->add_field_action( 'acf/delete_value', array( $this, 'delete_value' ), 10, 3 );
 

lang/acf-ar.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: ar\n"
 "MIME-Version: 1.0\n"

lang/acf-bg_BG.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: bg_BG\n"
 "MIME-Version: 1.0\n"

lang/acf-de_CH.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: de_CH\n"
 "MIME-Version: 1.0\n"

lang/acf-he_IL.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: he_IL\n"
 "MIME-Version: 1.0\n"

lang/acf-hu_HU.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: hu_HU\n"
 "MIME-Version: 1.0\n"

lang/acf-id_ID.po

@@ -12,7 +12,7 @@
 # This file is distributed under the same license as Advanced Custom Fields.
 msgid ""
 msgstr ""
-"PO-Revision-Date: 2023-11-28T09:14:32+00:00\n"
+"PO-Revision-Date: 2024-01-12T11:58:55+00:00\n"
 "Report-Msgid-Bugs-To: http://support.advancedcustomfields.com\n"
 "Language: id_ID\n"
 "MIME-Version: 1.0\n"