Tip: esc_url versus esc_url_raw

https://twitter.com/#!/kovshenin/status/179599647130652672

This tweet gained some good attention on Twitter, so I thought it would be good to explain why. Then I found a support forums thread where Mark Jaquith pretty much explains it all:

esc_url() is for something like <a href="SANITIZE_THIS">text</a>

So if you’re going to use the URL in your HTML output, like a href attribute for a link, or a src attribute for an image element, you should use esc_url().

esc_url_raw() is for other cases where you want a clean URL, but you don’t want HTML entities to be encoded. So any non-HTML usage (DB, redirect) would use this.

The esc_url_raw() function will do pretty much the same as esc_url, but it will not decode entities, meaning it will not replace & with &#038 and so on. As Mark pointed out, it’s safe to use esc_url_raw in database queries, redirects and HTTP functions, such as wp_remote_get.

Oh, there’s now a codex entry for esc_url_raw too!

About the author

Konstantin Kovshenin

WordPress Core Contributor, ex-Automattician, public speaker and consultant, enjoying life in Moscow. I blog about tech, WordPress and DevOps.

2 comments