Release Date 16th January 2024
- Security Fix - The ACF shortcode will now run all output through
wp_kses, escaping unsafe HTML. This may be a breaking change to your site but is required for security, a message will be shown in WordPress admin if you are affected. Please see the blog post for this release for more information. Thanks to Francesco Carlucci via Wordfence for the responsible disclosure - Security - ACF now warns via an admin message, when upcoming changes to
the_fieldandthe_sub_fieldmay require theme changes to your site to avoid stripping unsafe HTML. Please see the blog post for this release for more information - Security - Users may opt in to automatically escaping unsafe HTML via a new filter
acf/the_field/escape_html_optinwhen usingthe_fieldandthe_sub_fieldbefore this becomes default in an upcoming ACF release.