[wp-hackers] esc_url() vs. esc_attr()

Otto otto at ottodestruct.com
Wed May 5 13:44:46 UTC 2010

On Wed, May 5, 2010 at 8:01 AM, scribu <scribu at gmail.com> wrote:
> Security question:
> What is the difference between esc_url() and esc_attr() ?
> In other words, which of the following is best?

Several places in the core code only use esc_url. And looking through
the function, I see that it does handle single quotes. So the
preferred alternative would be:

echo "<a href='" .  esc_url($unsafe_url) . "'>";

In other words, use single quotes in the HTML, not double quotes.


More information about the wp-hackers mailing list