How should esc_url be combined with trailingslashit?

It is recommended to escape as late as possible, but the function simply adds a trailing slash (/) (after removing existing one, if any), and I noticed core also used trailingslashit( esc_url() ), so I guess that’s how we would do it.

  • But that is not a definitive answer to your question (which is interesting, BTW), because there’s no official statement regarding which format should be used.

However, there’s a similar function, namely user_trailingslashit(), which conditionally adds the trailing slash and applies a filter hook that’s also named user_trailingslashit, hence in that case, the format should always be esc_url( user_trailingslashit() ).

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. Help about Escaping
  32. How to keep specific tag from an html string?
  33. Escaping Issues
  34. Escaping and Special Characters (e.g. &)
  35. Escaping get_option( ‘time_format’ ) is nesserary?
  36. Correct way of using esc_attr() and esc_html()
  37. How to Git stash pop specific stash in 1.8.3?
  38. Illegal Escape Character “\”
  39. What does it mean to escape a string?
  40. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  41. Escaping HTML strings with jQuery
  42. How do I escape ampersands in XML so they are rendered as entities in HTML?
  43. Should I escape wordpress functions like the_title, the_excerpt, the_content
  44. Best Practice for PHP
  45. Escaping and sanitizing SVGs in metabox textarea
  46. Sanitize and data validation with apply_filters() function
  47. Difference between esc_url() and esc_url_raw()
  48. How to escape custom css?
  49. Escaping WP_Query tax_query when term has special character(s)
  50. Do I need to escape data passed to wp_localize_script()?
  51. Should messages in WP_Error already be html escaped?
  52. Escaping built-in WP function return strings
  53. esc_url not working within add_settings_field callback
  54. Do I need to use the esc_html() function on hard coded links?
  55. Prevent add_shortcode from escaping a tag
  56. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  57. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  58. Sanitizing comments or escaping comment_text()
  59. Prevent escaping javascript in visual editor
  60. Sanitizing, Validating and Escaping in WordPress (Plugin)
  61. Quotes being escaped inside wp_editor when saved with wp_kses_post
  62. When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
  63. Is it safe and good practice to use do_shortcode to escape?
  64. Post Content, Special Characters and Filters
  65. Securing/Escaping Output of file content – reading via fread() in PHP
  66. WordPress stripping away backslashes from HTML
  67. Updating post data on save (save_post vs wp_insert_post_data)
  68. What is the safe way to print tracking code / pixel code before tag or tag
  69. mysql_real_escape_string() vs. esc_sql() in WordPress
  70. Unexpected esc_html and esc_attr behaviour
  71. HTML escaping data with ajax requests
  72. Allow HTML in Settings API input field
  73. Do we need to escape data that we receive from theme options?
  74. should I escape a literal url added in functions.php
  75. Why would you use esc_attr() on internal functions?
  76. How to allow single quote with esc_html__() without sprintf()
  77. Wrapping add_query_arg with esc_url not working
  78. wordpress post not showing my “” text>?
  79. Should I escape the html for the settings field created with add_settings_field?
  80. escape html in jQuery for WordPress
  81. echo cutom css code to WordPress page template file ? is this safe?
  82. Remove pre and code tags from WordPress
  83. Correct form of escaping and localization – functions.php breadcrumbs
  84. Escaping a Single Quote in str_replace for Nav Function
  85. wp_kses allow checkbox class and checked
  86. Escaping html for meta description
  87. How to make MySQL search queries with quotes
  88. Escaping WP_Query tax_query when term has special character(s)
  89. Escaping and sanitization
  90. Escaping WP_Query tax_query when term has special character(s)
  91. Escape html structure in php
  92. site_url() returns with additional backslashes
  93. How to display post meta data in secure manner
  94. Allow iframe in custom meta box
  95. Escaping data from database (users table) is necessary?
  96. esc_url, esc_url_raw or sanitize_url?
  97. how to escape alert/window.location.replace with variable
  98. Escaping inline JS correctly
  99. What is best practice when escaping the_title()?
  100. If necessary, how should wp_get_attachment_image() and its parameters be escaped?