The question:
I’ve read Professional WordPress and it says:
esc_html
function is used for
scrubbing data that contains HTML.
This function encodes special
characters into their HTML entities
esc_attr
function is used for escaping
HTML attributes
esc_url
. This function should be used
to scrub the URL for illegal
characters. Even though the href is
technically an HTML attribute
What’s the difference between these?
If I have
<script>alert('hello world!');</script>this is some content
Would all < >
be converted to < >
? Will the URL be something like %xxx
?
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
esc_html
and esc_attr
are near-identical, the only difference is that output gets passed through differently named filters ( esc_html
and attribute_escape
respectively).
esc_url
is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with http://
protocol if it’s not present (and link is not relative).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0