[wp-hackers] esc_url or esc_attr or both
morgan.estes at gmail.com
Thu Apr 23 01:30:35 UTC 2015
In this case, using esc_url() as in example 1 is the way to go. Because of
the way the methods escape output, esc_attr() should be used for all other
tag attributes, but src and href should be escaped with esc_url().
On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <halukkaramete at gmail.com>
> Say, you're retrieving a value from the SB and you expect that to be in
> the form of a URL
> Let's assume that that value has to go in an img tag as its src attribute;
> In this case, what's the recommended way to escape that from an XSS point
> of view.
> I provided 4 ways below;
> 1: just do esc_url
> <img src="<?php esc_url($url_maybe);?>" >
> 2: just do esc_attr
> <img src="<?php esc_attr($url_maybe);?>" >
> 3: do both but run esc_attr first
> <img src="<?php esc_url(esc_attr($url_maybe));?>" >
> 4: do both but run esc_url first
> <img src="<?php esc_attr(esc_url($url_maybe));?>" >
> Similar confusion may occur in deciding esc_js and so on.
> What simple guide can I use in situations like this?
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers