I’ve read Professional WordPress and it says:
esc_htmlfunction is used for
scrubbing data that contains HTML.
This function encodes special
characters into their HTML entities
esc_attrfunction is used for escaping
HTML attributes
esc_url. This function should be used
to scrub the URL for illegal
characters. Even though the href is
technically an HTML attribute
What’s the difference between these?
If I have
<script>alert('hello world!');</script>this is some content
Would all < > be converted to < >? Will the URL be something like %xxx?
esc_htmlandesc_attrare near-identical, the only difference is that output gets passed through differently named filters (esc_htmlandattribute_escaperespectively).esc_urlis more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input withhttp://protocol if it’s not present (and link is not relative).