Define WordPress esc_url | wordpress website security

Posted by DESIGNUX | in : Wordpress

The escape functions like ( esc_url ) serve to protect against attacks and weird characters. Some of the things the functions do is remove invalid characters, remove dangerous characters, and encode characters as HTML entities. The problem is that untrusted data comes from not just users, but could come from things saved in your own database.

A general rule of wordpress, it is good to use the escape functions when any part of the URL is not generated by WordPress functions. If the entire URL is generated only by WordPress functions then the escape functions are not necessary.


<?php esc_url( $url, $protocols, $_context ); ?>


(string) (Required) The URL to be cleaned.


(array) (Optional) An array of acceptable protocols. Defaults to return value of wp_allowed_protocols()

Default value: null


(string) (Optional) Private. Use esc_url_raw() for database usage.

Default value: ‘display’

ESC_URL: WordPress Function



Comments are closed.