[wp-hackers] esc_url() vs. esc_attr()

Peter Westwood peter.westwood at ftwr.co.uk
Wed May 5 16:50:27 UTC 2010


On 5 May 2010, at 14:01, scribu wrote:

> Security question:
> 
> What is the difference between esc_url() and esc_attr() ?
> 
> 
> In other words, which of the following is best?
> 
> 
> echo '<a href="' .  esc_url($unsafe_url) . '">...
> 
> echo '<a href="' .  esc_attr($unsafe_url) . '">...
> 
> echo '<a href="' .  esc_attr(esc_url$unsafe_url)) . '">...

esc_url alone as gives you a url that is escaped and safe for use in attributes

For more info:

http://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/

Cheers

westi
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-hackers mailing list