What’s the difference between esc_* functions?

The question:

I’ve read Professional WordPress and it says:

esc_html function is used for
scrubbing data that contains HTML.
This function encodes special
characters into their HTML entities

esc_attr function is used for escaping
HTML attributes

esc_url. This function should be used
to scrub the URL for illegal
characters. Even though the href is
technically an HTML attribute

What’s the difference between these?

If I have

<script>alert('hello world!');</script>this is some content

Would all < > be converted to &lt; &gt;? Will the URL be something like %xxx?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively).

esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with http:// protocol if it’s not present (and link is not relative).


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment