Sam Sam - 20 days ago 9
Javascript Question

esc_url on WordPress ACF oEmbed

I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.

I usually escape urls and attributes within my theme like so:

<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">

When I try and escape the oEmbed, nothing shows up:

<?= esc_url( get_field('video') ); ?>

If I test XSS with the following script, the ACF field completely breaks with a JS error.


Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?


From the official documentation:

The oEmbed field will return a string containing the embed HTML.

Even if the input is of type URL, when getting the value, ACF transforms it to a full HTML embed code. In conclusion, it is wrong to call esc_url on this HTML, you just have to use the_field('video') or echo get_field('video').

As for ACF accepting invalid (non-URL) data in oEmbed type inputs, you can write a custom validator to raise an error, if needed by implementing a filter: acf/validate_value.