Is it safe and good practice to use do_shortcode to escape?

The WordPress Coding Standards sniffs treat do_shortcode() as an “autoescaped function”. This appears to have been discussed in 2015 in these GitHub issues:

https://github.com/WordPress/WordPress-Coding-Standards/issues/167
https://github.com/WordPress/WordPress-Coding-Standards/issues/428

The explanation used when it was added to the list was:

I discussed this with VIP support (#44195). David, after conferring
with another team member, said that it’s unnecessary, as we do the
escaping where the HTML is emitted (in the shortcode’s code).

But I’m not sure I agree with the reasoning. If you used it like this:

<?php echo do_shortcode( '[liveperson]' ); ?>

Where the shortcode is hard-coded, it makes sense, because the only thing to escape is the output of the shortcode, which should be escaped by the shortcode callback.

However, in your situation, you are using do_shortcode() to allow execution of shortcodes within user-supplied text, from a custom field. That text does need to be escaped, but do_shortcode() does not do any actual escaping.

So the safe way to handle fields like this would be to put the text through wp_kses() or wp_kses_post(), to remove disallowed tags, and then put it through do_shortcode() so that the shortcodes can be executed without being escaped again.

$text = get_field( 'field_name' );

echo do_shortcode( wp_kses_post( $text ) );

It won’t make any difference to what the code sniffer does/does not report, but at least the user supplied text is sanitised.

One limitation is that it won’t work if you use esc_html(), because that will interfere with shortcode attributes. This sanitisation also won’t prevent users entering unbalanced tags that could affect the layout, which is one thing escaping normally helps with. To address that issue you could add force_balance_tags():

$text = get_field( 'field_name' );

echo do_shortcode( force_balance_tags( wp_kses_post( $text ) ) );

Related Posts:

  1. Filtering multiple custom fields with WP REST API 2
  2. Front end form to create a custom post with preview
  3. Generate a excerpt from an ACF-wysiwyg-field
  4. Pods cms and “advanced custom fields” plugin
  5. Adding a body class with ACF
  6. Returning all radio button options when using Advanced Custom Fields
  7. Order and group posts by acf by month and year
  8. Vimeo thumbnails [closed]
  9. pre_get_posts filter using numeric meta_query comparison (from dates)
  10. ACF + contact form 7
  11. Is there a way to export Advanced Custom Fields data?
  12. Advanced Custom Fields plugin : displaying a YouTube video
  13. WordPress Gutenberg, update post content programmatically
  14. How to add custom fields in rss feed
  15. Replace post’s “the_content” with ACF value
  16. PHP echo stripping formatting in Advanced Custom Fields [closed]
  17. How to upload multiple images on frontend to ACF gallery using update_field
  18. Add user custom fields and make editable on frontend
  19. Inconsistent behavior from number_format
  20. Display post in order of ACF checkbox?
  21. Updating the database with advanced custom fields
  22. ACF custom block get_field() shows null on front-end? [closed]
  23. How to display genre of music content from one page to another page in wordpress
  24. Organize media library into folders and get folders via WP Rest API?
  25. ACF Update_field() update the field but changes are not seen in backend or rest api
  26. How to decrease the number of queries with get_posts and ACF?
  27. How to make Advanced Forms (and/or ACF) encode input value?
  28. ACF (Advanced Custom Fields) not updating post or postmeta values
  29. ACF Wysiwyg Editor Image srcset for responsive images [closed]
  30. Filter posts by advanced custom field
  31. User meta not saving properly
  32. Filtering from advance custom field data
  33. Insert Content into Script with Advanced Custom Fields
  34. Migrating data from ACF to WordPress custom meta boxes
  35. Is there a better way of retrieving the name of an acf pagelink type from current post?
  36. Seemingly Simple Conditional Won’t Work?
  37. Prepared statements used incorrectly in ACF?
  38. Hide ACF from source code until a “show” button is clicked
  39. Pull info from Soundcloud embed into a custom field?
  40. How to disable field on Advanced Custom Fields? [closed]
  41. Outputing Post Object title as a div class with ACF
  42. Function wp_enqueue_style was called incorrectly
  43. Can you make a custom gutenberg block that allows the gutenberg editor within it?
  44. ACF Clone Field – Set Default Value
  45. ACF save json to custom directory not working, default acf-json used instead
  46. ACF URL behavior, duplicating links
  47. ACF Maps admin error: “For development purposes only” even after supplying api key
  48. Do comparision after updates hooks of acf-fields?
  49. How do you display a custom field on a new page? [closed]
  50. Hash password field to database, unhash in admin?
  51. ACF google map not working [closed]
  52. Help using acf/save_post hook to connect to Untappd API and update_field [closed]
  53. Get ACF fields in relationships of returned post
  54. Random images with no duplicates (ACF Gallery) [closed]
  55. Pulling in content from another page [closed]
  56. Advanced Custom Fields – Check multiple Empty Fields [closed]
  57. Simple Calendar
  58. ACF: If field contain a specific value, update value in another field
  59. Equation input with preview in classic editor
  60. Using the WP CLI to output the HTML results of calling a post?
  61. Image is displaying with the url of the image as well
  62. Can’t get the frontend cache to be deleted manually
  63. How to do a WP_Query when a post has a relationship to anoter post via an ACF Post Object field, where the related post is in a certain category?
  64. Custom ACF block only outputs commented JSON to the DOM
  65. WP get_posts meta_query using ACF repeater field
  66. How to add a custom field for image in “Text and Full Image(text right)” layout?
  67. Trying to add ACF to authors meta and adding a class at the same time
  68. get_posts filter meta_query using ACF Checkbox
  69. Fancybox3 ACF repeater. URL strip out from the caption field
  70. Is it okay to use an ACF field to store a password for a protected area of a page?
  71. ACF Map with custom styles field
  72. Front End User Registration – How to Save ACF Values?
  73. Advanced Custom Fields | Help me link to a variable
  74. ACF Flexible Content with Bootstrap Carousel Repeater
  75. Which is faster: Loading images from the repo, or loading them using ACF Image Content via Media Library
  76. ACF don’t save the selected value
  77. WordPress API response filter by ACF value
  78. ACF Pro Date Picker not coming through on Loop
  79. advanced custom fields if field has value show main div [closed]
  80. wp_split_shared_term_batch messing up upgraded ACF 5 data
  81. Creating a page from acf fields
  82. Populate ACF repeater with current structure of pages
  83. Use an image’s url as argument in update_field function
  84. Update the value of every page’s content editor with the value of an Advanced Custom Field on that page
  85. display content in ascending order
  86. Add routes between multiple ACF google maps markers [closed]
  87. Hebrew WP 3.5: plugin activated, does not appear in sidebar [duplicate]
  88. How to share specific data contained in repeated fields across multiple pages
  89. Conditional Custom field with foreach
  90. Post Image alt text not appearing in WordPress website
  91. ACF gives a syntaxError unexpected token
  92. meta_query for an ACF checkbox field don’t works correctly
  93. Using ACF on Posts Page
  94. Advanced custom fields if else statement
  95. Use Advance Custom Fields to fill text widget [closed]
  96. Advanced custom fields and post types
  97. ACF gallery & bootstrap colls and rows [closed]
  98. Custom headings on WYSIWYGs per flexible content module in ACF
  99. Get ACF time in His format
  100. Pending posts showing category until published