I’ve read Professional WordPress and it says:
esc_htmlfunction is used for
scrubbing data that contains HTML.
This function encodes special
characters into their HTML entities
esc_attrfunction is used for escaping
esc_url. This function should be used
to scrub the URL for illegal
characters. Even though the href is
technically an HTML attribute
What’s the difference between these?
If I have
<script>alert('hello world!');</script>this is some content
< > be converted to
< >? Will the URL be something like
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
esc_attr are near-identical, the only difference is that output gets passed through differently named filters (
esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with
http:// protocol if it’s not present (and link is not relative).