[wp-hackers] esc_url() vs. esc_attr()

Ryan McCue lists at rotorised.com
Wed May 5 13:13:59 UTC 2010


I believe the latter, as esc_url() only escapes invalid URLs, but  
doesn't encode ", ' or >
--
Ryan McCue
<http://ryanmccue.info/>

On 05/05/2010, at 23:01, scribu <scribu at gmail.com> wrote:

> Security question:
>
> What is the difference between esc_url() and esc_attr() ?
>
>
> In other words, which of the following is best?
>
>
> echo '<a href="' .  esc_url($unsafe_url) . '">...
>
> echo '<a href="' .  esc_attr($unsafe_url) . '">...
>
> echo '<a href="' .  esc_attr(esc_url$unsafe_url)) . '">...
>
>
> -- 
> http://scribu.net
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list