Last active
November 17, 2025 18:15
-
-
Save desrosj/47262ce682ff416d68f52dde37efbf2d to your computer and use it in GitHub Desktop.
Possible `esc_url()` code examples.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| * Recommended approach for defaulting to 'http' while maintaining backwards compatibility. | |
| * | |
| * Example: no protocol with $protocols and 'https' first. | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'https://profiles.wordpress.org' | |
| * - WordPress < 6.9: 'http://profiles.wordpress.org' | |
| */ | |
| echo esc_url( 'profiles.wordpress.org', array( 'https', 'http' ) ); | |
| /* | |
| * Example 1: no protocol included in $url. | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'http://profiles.wordpress.org' | |
| * - WordPress < 6.9: 'http://profiles.wordpress.org' | |
| */ | |
| echo esc_url( 'profiles.wordpress.org' ); | |
| /* | |
| * Example 2: 'http' protocol incldued in $url. | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'http://profiles.wordpress.org' | |
| * - WordPress < 6.9: 'http://profiles.wordpress.org' | |
| */ | |
| echo esc_url( 'http://profiles.wordpress.org' ); | |
| /* | |
| * Example 3: 'https' protocol included in $url. | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'https://profiles.wordpress.org' | |
| * - WordPress < 6.9: 'https://profiles.wordpress.org' | |
| */ | |
| echo esc_url( 'https://profiles.wordpress.org' ); | |
| /* | |
| * Example 4: no protocol with $protocols and 'http' first. | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'http://profiles.wordpress.org' | |
| * - WordPress < 6.9: 'http://profiles.wordpress.org' | |
| */ | |
| echo esc_url( 'profiles.wordpress.org', array( 'http', 'https' ) ); | |
| /* | |
| * Example 5: no protocol in $url with $protocols and no 'http' | |
| * | |
| * Output: | |
| * - WordPress >= 6.9: 'https://profiles.wordpress.org' | |
| * - WordPress < 6.9: '' | |
| * | |
| * Note: if 'http' is not included in the $protocols array, the fully escaped URL will not pass | |
| * the final check that a valid, allowed protocol is included. | |
| */ | |
| echo esc_url( 'profiles.wordpress.org', array( 'https' ) ); | |
| /* | |
| * Example 6: protocol within $url missing within $protocols. | |
| * | |
| * Output for all: | |
| * - WordPress >= 6.9: '' | |
| * - WordPress < 6.9: '' | |
| * | |
| * Note: if 'http' is not included in the $protocols array, the fully escaped URL will not pass | |
| * the final check that a valid, allowed protocol is included. | |
| */ | |
| echo esc_url( 'https://profiles.wordpress.org', array( 'http' ) ); | |
| echo esc_url( 'http://profiles.wordpress.org', array( 'https' ) ); | |
| echo esc_url( 'mailto:[email protected]', array( 'https', 'http' ) ); |
Author
@sabernhardt I've fixed the two points you made. Please double check.
Also, I moved example 7 to the top and labelled it as the recommended approach for enforcing https in a backward compatible way. I think we could include that in a separate code block before the bulleted notes in the post. And then include the other examples below that.
The recommended approach defaults to 'https'
By adding "Recommended approach for defaulting to 'https' while maintaining backwards compatibility." at the top, I do not think the Note is necessary for that example.
Author
Updated!
I split this and moved it to the Google doc. I'm hoping there's a better way to introduce the additional examples than "Additional examples of output include:"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Corrections:
Optional: I edited Example 7's summary below, and it would be nice to line up the two output strings (easier to notice any difference).
Also, I think I would prefer the recommended example for back-compat before the end, but it does make sense in the progression.