advanced-custom-fields get_field() Sanitize get_field() output

Example

It's a good idea to sanitize get_field() output, especially when using Advanced Custom Fields fields front end (with acf_form()). Otherwise your site is likely vulnerable to cross-site scripting attacks (XSS).

The following function lets you use

echo get_field_escaped('my_custom_field', $post_id, true);

instead of

echo get_field('my_custom_field', $post_id, true);

The function uses esc_html as default, but let's you change this as a fourth parameter

echo get_field_escaped('url', $post_id, true, 'esc_url');

Add the following to functions.php to enable the function:

/**
 * Helper function to get escaped field from ACF
 * and also normalize values.
 *
 * @param $field_key
 * @param bool $post_id
 * @param bool $format_value
 * @param string $escape_method esc_html / esc_attr or NULL for none
 * @return array|bool|string
 */
function get_field_escaped($field_key, $post_id = false, $format_value = true, $escape_method = 'esc_html')
{
    $field = get_field($field_key, $post_id, $format_value);
 
    /* Check for null and falsy values and always return space */
    if($field === NULL || $field === FALSE)
        $field = '';
 
    /* Handle arrays */
    if(is_array($field))
    {
        $field_escaped = array();
        foreach($field as $key => $value)
        {
            $field_escaped[$key] = ($escape_method === NULL) ? $value : $escape_method($value);
        }
        return $field_escaped;
    }
    else
        return ($escape_method === NULL) ? $field : $escape_method($field);
}

Source: https://snippets.khromov.se/sanitizing-and-securing-advanced-custom-fields-output/

More about the different sanitization options in the WordPress Codex: https://codex.wordpress.org/Data_Validation#Output_Sanitization