This thing makes my coding difficult. Wordpress codex reasons the use of esc_url by talking vaguely about security. But is it really worth the trouble?

For example, what's the important, practical security benefit by using

<?php echo esc_url( home_url( '/' ) ); ?>

instead of

<?php echo home_url() ?>

PS: I am not talking about theme development, but about a specific site.

This thing makes my coding difficult. Wordpress codex reasons the use of esc_url by talking vaguely about security. But is it really worth the trouble?

For example, what's the important, practical security benefit by using

<?php echo esc_url( home_url( '/' ) ); ?>

instead of

<?php echo home_url() ?>

PS: I am not talking about theme development, but about a specific site.

• security

Share Improve this question edited Sep 12, 2015 at 21:25 IXN asked Sep 12, 2015 at 19:00 IXNIXN 93622 gold badges1111 silver badges3131 bronze badges

Add a comment  | 

4 Answers 4

Sorted by: Reset to default 20

If you check the documentation on Data Validation it has following to say about the function:

Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols [...], eliminates invalid characters, and removes dangerous characters.

There you have it — practical security benefit. Valid protocol, no murky characters.

The answer about necessity is firmly yes. Escaping output is the most basic security practice.

Another things must be keep in your head about esc_url() is for something like <a href="SANITIZE_THIS_URL">your_text</a>.if you’re going to use the URL in your HTML output, like a href attribute for a link, or a src attribute for an image element, you should use esc_url().

esc_url_raw()is for other cases where you want a clean URL, but you don’t want HTML entities to be encoded. So any non-HTML usage (DB, redirect) would use this.

The esc_url_raw() function will do pretty much the same as esc_url(), but it will not decode entities, meaning it will not replace & with &#038 and so on. As Mark pointed out, it’s safe to use esc_url_raw() in database queries, redirects and HTTP functions, such as `wp_remote_get()' for more info about esc_url_raw()

well, all user input should be sanitized... If the url you inject is not user input (e.g. site setting by someone you fully trust, hardcoded values) then you may relief yourself from esc-url.

but if I could inject that url to your site, i could easily inject js code, or redirection code... or even server side code in some situations.

this can lead to session hijacking and your users accounts being stolen and other bad options.

Edit:

In your example esc_url( home_url( '/' ) );
it operated on a semi-hardcoded value! therefore esc_url can be eliminated.
That said I still don't see why bother distinctions between when there is a threat and when there is not and generally would suggest to keep esc_url() for every value.

esc_url is used to produce a valid HTML (not to sanitize input). You should use this anytime you are not 100% sure that what you want to output is a valid HTML for that context.