Function and usage of esc_url() in wordpress


Answers ( 1 )


    The esc_url() function in WordPress is designed for sanitizing URLs by cleaning them from potentially harmful or unwanted characters. This function is particularly useful when dealing with user-input URLs or when outputting URLs in your themes and plugins to ensure they are safe and valid. Here's a detailed explanation of its functionality and usage:

    Function Signature:

    esc_url( string $url, string[] $protocols = null, string $_context = 'display' ): string


    • Checks and Cleans a URL: The primary function of esc_url() is to check and clean the provided URL. This involves removing a number of characters that could be potentially harmful or used for malicious purposes.


    • Character Removal and Replacement: The function strips out certain characters from the URL. When the URL is meant for display (which is the default behavior), it also replaces ampersands (&) for proper HTML encoding.
    • Application of 'clean_url' Filter: The cleaned URL undergoes further processing by the 'clean_url' filter, allowing for additional custom sanitization or modification through WordPress's filter system.


    1. $url (string - required): The URL that needs to be cleaned. This is the primary input to the function.
    2. $protocols (string[] - optional): An array of acceptable protocols that the URL may use. If not specified, WordPress uses the default protocols from the wp_allowed_protocols() function. This parameter allows for customization of which protocols are considered valid.
      • Default: null (i.e., defaults to protocols from wp_allowed_protocols()).
    3. $_context (string - optional): This parameter is meant for internal use. For database usage, it's recommended to use sanitize_url() instead.
      • Default: 'display' (indicating the URL is meant for display to users).


    • Type: string
    • Description: The function returns the cleaned URL after applying the 'clean_url' filter.
    • Special Cases:
      • An empty string is returned if the provided $url uses a protocol not included in the $protocols array.
      • If $url is an empty string, the function also returns an empty string.

    Sample Usage:

    // Example URL
    $url_to_clean = "";
    // Clean the URL for display
    $clean_url = esc_url( $url_to_clean );
    // Echo the clean URL in an anchor tag
    echo '<a href="' . esc_attr( $clean_url ) . '">Visit</a>';

    In this example, esc_url() is used to clean a URL before it is echoed out in an HTML anchor tag. This ensures that the URL is safe for display and free from potential XSS (Cross-Site Scripting) attacks or other vulnerabilities.

Leave an answer