[wp-hackers] esc_url() vs. esc_attr()
Otto
otto at ottodestruct.com
Wed May 5 13:44:46 UTC 2010
On Wed, May 5, 2010 at 8:01 AM, scribu <scribu at gmail.com> wrote:
> Security question:
>
> What is the difference between esc_url() and esc_attr() ?
>
>
> In other words, which of the following is best?
Several places in the core code only use esc_url. And looking through
the function, I see that it does handle single quotes. So the
preferred alternative would be:
echo "<a href='" . esc_url($unsafe_url) . "'>";
In other words, use single quotes in the HTML, not double quotes.
-Otto
More information about the wp-hackers
mailing list