[Plugin: Advanced Custom Fields] Your plugin outups db information without escaping it

As you must know, to prevent xss attacks it is important that output to the browser gets escaped. ACF has functions like the_field() that echo directly disabling any posibility for escaping.

Obviously escaping is context dependent and it is impossible for a plugin developer to know whether the client will output in html content, html attributes, JavaScript or others… thus making a plugin in itself a bad place to escape output. However if we expect the client to do their context dependent escaping it makes no sense to have functions like the_field. Note that the WordPress core suffers from the same illness.

We might however assume that if people call functions like the_field, they probably output in html content. We can even write a filter that is restricting enough to be safe in html content and html attributes, thus eliminating a good part of the vulnerabilities.

At least we could make it harder for users to open the gates wide, by making them do special effort to do unsafe things.

Personally I served myself in the codebase of twig for an escaping class. If you want even better you can check ESAPI which they say is not production ready for php, but it already has unit tests and all so it might be worth having a look at…

For a few references, please see:
http://inanimatt.com/php-output-escaping.html
http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping/
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet