At least once a day, someone has to explain that the only esc_
function you can use to sanitize is esc_url_raw()
. This stems from what was (at the time) a logical change. The function sanitize_url()
was an alias for esc_url_raw()
and it’s redundant to have both.
Except …
Over the years, WordPress has evolved and improved function names to the point that we can nearly say “Use sanitize_
functions to sanitize and esc_
functions to escape” which makes life a lot easier for new users. They don’t have to remember any odd-functions-out except the wp_kses*
ones.
For WordPress 5.9, I made a ticket to restore sanitize_url()
and I’m delighted to be able to say that it’s back! It’s un-deprecated!
What’s the difference?
Nothing, except the name.
Can I keep using esc_url_raw()?
Yes, for now. Eventually we’d like to wean people off it, but it’s a process. No worries. If you’re using it, we won’t ding you.
Why does this matter?
Because now you (and anyone else) can look at $variable = sanitize_url( $_POST['variable_url'] );
and know “Ah, yes, this is sanitized.”
Are you only posting this because you made the change?
No. I’m posting this because I promised some of the people I made that ticket for that I would 🙂 It’s delayed because I’ve been swamped.
It’s something that changes very little for most people, but will greatly help newer developers and minimize their confusion. And that? That is a fantastic thing!
My code sniffer tells me it’s wrong, what do I do?
Tell the people who run the sniffer, but keep in mind they’re probably adding in a bunch of changes, so it may take a while 🙂 Be cognizant of the work they do and respectful of the time they give you. Helps everyone.
#core, #security