Tip: don’t use esc_url() with wp_remote_get() and other HTTP functions. Use esc_url_raw() instead. #wordpress
— Konstantin Kovshenin (@kovshenin) March 13, 2012
This tweet gained some good attention on Twitter, so I thought it would be good to explain why. Then I found a support forums thread where Mark Jaquith pretty much explains it all:
esc_url()is for something like
So if you’re going to use the URL in your HTML output, like a href attribute for a link, or a src attribute for an image element, you should use esc_url().
esc_url_raw()is for other cases where you want a clean URL, but you don’t want HTML entities to be encoded. So any non-HTML usage (DB, redirect) would use this.
The esc_url_raw() function will do pretty much the same as esc_url, but it will not decode entities, meaning it will not replace
& and so on. As Mark pointed out, it’s safe to use esc_url_raw in database queries, redirects and HTTP functions, such as
Oh, there’s now a codex entry for esc_url_raw too!