I'm using the ACF WordPress plugin to create an oEmbed field. The field accepts a URL from Vimeo and outputs an iframe on the front end.
I usually escape urls and attributes within my theme like so:
<a href="<?= esc_url( get_field('link') ); ?>" title="<?= esc_attr( get_field('title') ); ?>">
When I try and escape the oEmbed, nothing shows up:
<?= esc_url( get_field('video') ); ?>
If I test XSS with the following script, the ACF field completely breaks with a JS error.
<script>alert('hello')</script>
Do I need to escape this field? I assume that WordPress takes care of the escaping through the oEmbed function?
From the official documentation:
The oEmbed field will return a string containing the embed HTML.
Even if the input is of type URL, when getting the value, ACF transforms it to a full HTML embed code. In conclusion, it is wrong to call esc_url on this HTML, you just have to use the_field('video') or echo get_field('video').
As for ACF accepting invalid (non-URL) data in oEmbed type inputs, you can write a custom validator to raise an error, if needed by implementing a filter: acf/validate_value.
Have you tried using the_field() instead of get_field()?
<?= esc_url( the_field('video') ); ?>
The oEmbed actually returns more than just a url so that could be the issue as well. I haven't worked with esc_url() much in the past but it could be breaking because whatever is getting passed through is not only a url.
As stated here, https://www.advancedcustomfields.com/resources/oembed/, "The oEmbed field will return a string containing the embed HTML".