I’ve read Professional WordPress and it says:
esc_htmlfunction is used for
scrubbing data that contains HTML.
This function encodes special
characters into their HTML entities
esc_attrfunction is used for escaping
HTML attributes
esc_url. This function should be used
to scrub the URL for illegal
characters. Even though the href is
technically an HTML attribute
What’s the difference between these?
If I have
<script>alert('hello world!');</script>this is some content
Would all < > be converted to < >? Will the URL be something like %xxx?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively).
esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with http:// protocol if it’s not present (and link is not relative).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0