[wp-hackers] esc_url() vs. esc_attr()
Ryan McCue
lists at rotorised.com
Wed May 5 13:13:59 UTC 2010
I believe the latter, as esc_url() only escapes invalid URLs, but
doesn't encode ", ' or >
--
Ryan McCue
<http://ryanmccue.info/>
On 05/05/2010, at 23:01, scribu <scribu at gmail.com> wrote:
> Security question:
>
> What is the difference between esc_url() and esc_attr() ?
>
>
> In other words, which of the following is best?
>
>
> echo '<a href="' . esc_url($unsafe_url) . '">...
>
> echo '<a href="' . esc_attr($unsafe_url) . '">...
>
> echo '<a href="' . esc_attr(esc_url$unsafe_url)) . '">...
>
>
> --
> http://scribu.net
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list