[wp-hackers] esc_url or esc_attr or both

Haluk Karamete halukkaramete at gmail.com
Thu Apr 23 00:59:11 UTC 2015


Say, you're  retrieving a value from the SB and you expect that to be in
the form of a URL

Let's assume that that value has to go in an img tag as its src attribute;

In this case, what's the recommended way to escape that from an XSS point
of view.

I provided 4 ways below;

1: just do esc_url
<img src="<?php esc_url($url_maybe);?>" >

2: just do esc_attr
<img src="<?php esc_attr($url_maybe);?>" >

3: do both but run esc_attr first
<img src="<?php esc_url(esc_attr($url_maybe));?>" >

4: do both but run esc_url first
<img src="<?php esc_attr(esc_url($url_maybe));?>" >


Similar confusion may occur in deciding esc_js and so on.
What simple guide can I use in situations like this?


More information about the wp-hackers mailing list