Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improving Defence Against XSS #500

elliotcondon opened this issue May 20, 2021 · 4 comments

Improving Defence Against XSS #500

elliotcondon opened this issue May 20, 2021 · 4 comments


Copy link

elliotcondon commented May 20, 2021

Cross-site scripting or XSS is one of the most popular vulnerabilities among WordPress Core, Plugins and Themes. This vulnerability is best though of as a missing "filter" in the PHP pipeline when displaying user-generated content, which can allow unauthorized JavaScript code to be executed on a website.

If you're interested in learning more about XSS, I found this article to be very helpful: Cross Site Scripting (XSS) Attack Tutorial with Examples, Types & Prevention

Luckily, WordPress provide an arsenal of tools to help defend against XSS such as the many esc_xxx() functions in combination with wp_kses(), which help strip out or encode HTML tags, and prevent a browser from executing the potentially dangerous HTML.

At ACF, we're constantly making improvements to combat XSS and are excited to announce a new opt-in feature is available for testing. This feature is currently considered "experimental" whilst we encourage developers such as yourself to enable, test and report back with real world results. So how does it work and what will it do?

Once enabled, all user-generated content displayed within Advanced Custom Fields such as Field labels and instructions will be passed through the wp_kses() function with a context of "acf". As a result, inline <script> and <iframe> tags will be removed along with potentially dangerous attributes (mimicing WP core behavior). Note: script tags are already removed by default.

It is important to note the scope of this improvement. This will not effect Field values loaded through API functions such as get_field() and the_field(). We don't make any assumptions about where you are using your Field values within your theme and do not apply escaping to them as a result.

The custom context of "acf" will allow for 3rd party customization of the allowed HTML tags and attributes - which there are a lot of: XSS Filter Evasion Cheat Sheet.

How to test

To help test our improved XSS defence, please update to the latest version of ACF (5.9.6+) and add the following line of code to your wp-config.php file:

define( 'ACF_EXPERIMENTAL_ESC_HTML', true );

Then, simply go about your web developing business and report back with a 👍 or 👎. If you do come across an issue, please let us know in the comments below.

How to extend

By using a custom context, it is possible to customize the allowed HTML tags and attributes for ACF user-generated content without affecting other parts of your WordPress website. For example, if you wish to enable support for <iframe> elements within Field instructions, the following snippet could be used within the functions.php file:

add_filter( 'wp_kses_allowed_html', function( $tags, $context ){
	if( $context === 'acf' ) {
		$tags['iframe'] = array(
			'src'             => true,
			'height'          => true,
			'width'           => true,
			'frameborder'     => true,
			'allowfullscreen' => true,
	return $tags;
}, 10, 2 );

It is my absolute pleasure to be implementing this improvement to the plugin and thank you all for your help!


Copy link

@elliotcondon currently the download of 5.9.6 at is not available :-)

Copy link
Contributor Author

Caching. All fixed now.

Copy link

@elliotcondon Thank you. Ready for testing now :-)

Copy link

Closing since this has been implemented in 5.10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

5 participants
@elliotcondon @mattgrshaw @CreativeDive and others