esc_url, esc_url_raw or sanitize_url?

This might be a more useful demonstration:

<a href="<?php echo esc_url( $url ); ?>>I'm printing a URL to the frontend</a>

$url = sanitize_url( $_GET['user_inputted_data'] );
update_post_meta( $post_id, 'that_url', $url );

esc_url is an escaping function, sanitize_url is a sanitising function.

  • Sanitising functions clean incoming data, e.g. removing letters from phone numbers, stripping trailing space etc. This is the soap that cleans your data on the way into your site. Always sanitise user inputs and data from 3rd party/external sources such as forms and file imports.
  • Escaping functions escape data on output. Why trust that the variable contains a URL when you can force it to be a URL and guarantee it. esc_url here makes everything into a URL, even if it is not. There’s no sneaking in a script tag or other malicious HTML. Escaping functions are like cookie cutters, they enforce and guarantee their output will fit a particular shape or constraint. E.g. esc_html always returns plaintext, even if you pass it HTML it will escape the < and > so they’re human readable plaintext.

You would never sanitise on output, just as you would never escape on input.

Now it seems that esc_url_raw under the hood executes sanitize_url which in turn under the hood executes esc_url, in the end applying the clean_url_filter via the db context.

Indeed if you look at esc_attr and esc_html they both do the same thing, but that doesn’t mean they’re interchangeable. For one they have their own filters, so they might not be the same. It’s also self-documenting. It’s also a reminder that sometimes you should use other functions for attributes when you know more about their data type, e.g. esc_url for URLs, intval for integers, etc.

But what about esc_url_raw? Do not use this to escape output. It’s stated quite clearly on the official WP developer docs sites entry for this function. If you are trying to echo/print a URL in HTML, use esc_url.

What About esc_url_raw?

In 99% of situations you will never need to use this, and on the frontend when outputting URLs it should never be used.

The primary reason you would want to use this is for database queries according to the official documentation:

The esc_url_raw() function is similar to esc_url() (and actually uses it), but unlike esc_url() it does not replace entities for display. The resulting URL is safe to use in database queries, redirects and HTTP requests.

This function is not safe to use for displaying the URL, use esc_url() instead.

Lets run through your examples:

HTTP redirect, executed in PHP

Use esc_url_raw as the docs suggest.

page load, triggered via via js via window.location = <escaped_link_if_clicked>

While you should esc_url, the important part is that this is inside javascript, so you actually have an additional step to do:

window.location = <?php echo wp_json_encode( esc_url( $url ) ); ?>

Valid URLs can contain quotes, wp_json_encode can safely escape those for use inside javascript.

anchor tag link whose href value holds the escaped URL.

Always esc_url, never esc_url_raw.

Related Posts:

  1. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  2. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  3. What is the difference between esc_html and wp_filter_nohtml_kses?
  4. Escaping built-in WP function return strings
  5. What is the difference between strip_tags and wp_filter_nohtml_kses?
  6. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  7. How to sanitize user input?
  8. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  9. Securing/Escaping Output of file content – reading via fread() in PHP
  10. Why would you use esc_attr() on internal functions?
  11. How to store username and password to API in wordpress option DB?
  12. Symbolic Links on dev box with plugins and stylesheets
  13. How to call images from your plugins image folder?
  14. What’s the difference between esc_* functions?
  15. Nonces can be reused multiple times? Bug / Security issue?
  16. Can someone explain what wp_session_tokens are, and what are they used for?
  17. WordPress and PHP Sessions – Security and Performance
  18. How to escape custom css?
  19. How to add multiple custom URL variables?
  20. How to Rewrite WordPress URL for a Plugin
  21. Nonce in settings API with tabbed navigation
  22. Log in from one wordpress website to another wordpress website
  23. WP Cron doesn’t save or in post body
  24. Having Problem On Getting WP Post Gallery Images URL
  25. Mapping multiple URLs to same page
  26. URLs of plugin resources?
  27. WordPress restrict plugin file direct access
  28. Plugin development: is adding empty index.php files necessary?
  29. Confusion on WP Nonce usage in my Plugin
  30. array_map() for sanitizing $_POST
  31. Sanitizing comments or escaping comment_text()
  32. How to restore WP 5.4 behaviour where a numeric string could added to each page URL and parsed as “page” in WP 5.5?
  33. Correct way check nonce (security) using old Options API
  34. Why do I need to check if wp_nonce_field() exists before using it
  35. Sanitizing, Validating and Escaping in WordPress (Plugin)
  36. How Could I sanitize the receive data from this code
  37. Escape when echoed
  38. Is there any way to check for user login and send him to login?
  39. WordPress security issue to output data from user input from theme option form
  40. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  41. Verify if user is wordpress logged in from another app since wordpress 4.0
  42. Secure Pages Best Practice
  43. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  44. Video Security just like facebook [closed]
  45. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  46. What is the safe way to print tracking code / pixel code before tag or tag
  47. mysql_real_escape_string() vs. esc_sql() in WordPress
  48. Is disabling test_form in wp_handle_upload a security concern?
  49. How to connect my wordpress plugin to a remote database securely?
  50. wp_nonce_field displaying twice
  51. Is it necessary to do validation again when retrieving data from database?
  52. wordpress is adding a second backslash when I use addslashes
  53. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  54. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  55. add_submenu_page hooked function must explicitly check user capabilities – why?
  56. Are there any security risks when submitting data-attribute data through AJAX?
  57. Do we need to escape data that we receive from theme options?
  58. Can I use %category% like Templates in my Plugin?
  59. Is it possible to use WP-CLI in a plugin (or theme)?
  60. Secruity Questions on a timer
  61. Using HTML links within translatable string
  62. How to list all images used on a specific page?
  63. How can I save a password securely as a settings field
  64. Using password protection to load different page elements?
  65. How to correctly escape an echo
  66. The URL of images on my website changed after being set as featured image
  67. How to save page URL as a favorite
  68. escape html in jQuery for WordPress
  69. Getting incorrect filepath inside custom block front-end output using @wordpress/create-block tutorial
  70. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  71. Check current URL is 404 in pre_option_stylesheet filter hook
  72. How to store sensitive user data (passwords)
  73. Sanitize WordPress Array Input?
  74. How do I make secure API calls from my WordPress plugin?
  75. esc_attr() on hard coded string
  76. Creating a return url for getting data from external api
  77. how to add security questions on wp-registration page and validate it
  78. do I need to sanitize a shortcode’s function input?
  79. Return raw image proxy for wordpress plugin
  80. How to pass a more variable with page/subpage in Wordprees URL?
  81. Experts opinions needed: How (in)secure is this approach?
  82. Plugins and how to assign urls to content
  83. Array/List Edit in Backend
  84. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  85. Any way to make Apache’s internal redirect work?
  86. Issue on Getting Images URL of the Post Gallery
  87. Mapping multiple URLs to same page
  88. Data Validation, dynamically generated fields (select for example)
  89. How to Rewrite WordPress URL for a Plugin
  90. How to Rewrite WordPress URL for a Plugin
  91. redirect word-press page with page values
  92. WordPress custom link with my plugin
  93. oneOf two possible objects in WP REST API?
  94. Sanitize and Save metabox values
  95. Personalized URL for non-logged in WordPress
  96. how to sanitizing $_POST with the correct way?
  97. WordPress dynamic widget by location?
  98. How to override supports of innerBlocks?
  99. What should I use instead of get_blog_option?
  100. Ajax functions – no access to wp-admin.php only online