[wp-hackers] esc_url or esc_attr or both
Haluk Karamete
halukkaramete at gmail.com
Thu Apr 23 00:59:11 UTC 2015
Say, you're retrieving a value from the SB and you expect that to be in
the form of a URL
Let's assume that that value has to go in an img tag as its src attribute;
In this case, what's the recommended way to escape that from an XSS point
of view.
I provided 4 ways below;
1: just do esc_url
<img src="<?php esc_url($url_maybe);?>" >
2: just do esc_attr
<img src="<?php esc_attr($url_maybe);?>" >
3: do both but run esc_attr first
<img src="<?php esc_url(esc_attr($url_maybe));?>" >
4: do both but run esc_url first
<img src="<?php esc_attr(esc_url($url_maybe));?>" >
Similar confusion may occur in deciding esc_js and so on.
What simple guide can I use in situations like this?
More information about the wp-hackers
mailing list