[wp-hackers] esc_url() vs. esc_attr()
Peter Westwood
peter.westwood at ftwr.co.uk
Wed May 5 16:50:27 UTC 2010
On 5 May 2010, at 14:01, scribu wrote:
> Security question:
>
> What is the difference between esc_url() and esc_attr() ?
>
>
> In other words, which of the following is best?
>
>
> echo '<a href="' . esc_url($unsafe_url) . '">...
>
> echo '<a href="' . esc_attr($unsafe_url) . '">...
>
> echo '<a href="' . esc_attr(esc_url$unsafe_url)) . '">...
esc_url alone as gives you a url that is escaped and safe for use in attributes
For more info:
http://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/
Cheers
westi
--
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
More information about the wp-hackers
mailing list