Why should I use the esc_url?

This thing makes my coding difficult.
Wordpress codex reasons the use of esc_url by talking vaguely about security.
But is it really worth the trouble?

For example, what’s the important, practical security benefit by using

<?php echo esc_url( home_url( "https://wordpress.stackexchange.com/" ) ); ?>

instead of

<?php echo home_url() ?>

PS: I am not talking about theme development, but about a specific site.


If you check the documentation on Data Validation it has following to say about the function:

Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols […], eliminates invalid characters, and removes dangerous characters.

There you have it — practical security benefit. Valid protocol, no murky characters.

The answer about necessity is firmly yes. Escaping output is the most basic security practice.

Leave a Comment