[wp-hackers] esc_url or esc_attr or both

Morgan Estes morgan.estes at gmail.com
Thu Apr 23 01:30:35 UTC 2015


In this case, using esc_url() as in example 1 is the way to go. Because of
the way the methods escape output, esc_attr() should be used for all other
tag attributes, but src and href should be escaped with esc_url().

On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <halukkaramete at gmail.com>
wrote:

> Say, you're  retrieving a value from the SB and you expect that to be in
> the form of a URL
>
> Let's assume that that value has to go in an img tag as its src attribute;
>
> In this case, what's the recommended way to escape that from an XSS point
> of view.
>
> I provided 4 ways below;
>
> 1: just do esc_url
> <img src="<?php esc_url($url_maybe);?>" >
>
> 2: just do esc_attr
> <img src="<?php esc_attr($url_maybe);?>" >
>
> 3: do both but run esc_attr first
> <img src="<?php esc_url(esc_attr($url_maybe));?>" >
>
> 4: do both but run esc_url first
> <img src="<?php esc_attr(esc_url($url_maybe));?>" >
>
>
> Similar confusion may occur in deciding esc_js and so on.
> What simple guide can I use in situations like this?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list