At least once a day, someone has to explain that the only
esc_ function you can use to sanitize is
esc_url_raw(). This stems from what was (at the time) a logical change. The function
sanitize_url() was an alias for
esc_url_raw() and it’s redundant to have both.
Over the years, WordPress has evolved and improved function names to the point that we can nearly say “Use
sanitize_ functions to sanitize and
esc_ functions to escape” which makes life a lot easier for new users. They don’t have to remember any odd-functions-out except the
For WordPress 5.9, I made a ticket to restore
sanitize_url() and I’m delighted to be able to say that it’s back! It’s un-deprecated!
What’s the difference?
Nothing, except the name.
Can I keep using esc_url_raw()?
Yes, for now. Eventually we’d like to wean people off it, but it’s a process. No worries. If you’re using it, we won’t ding you.
Why does this matter?
Because now you (and anyone else) can look at
$variable = sanitize_url( $_POST['variable_url'] ); and know “Ah, yes, this is sanitized.”
Are you only posting this because you made the change?
No. I’m posting this because I promised some of the people I made that ticket for that I would 🙂 It’s delayed because I’ve been swamped.
It’s something that changes very little for most people, but will greatly help newer developers and minimize their confusion. And that? That is a fantastic thing!
My code sniffer tells me it’s wrong, what do I do?
Tell the people who run the sniffer, but keep in mind they’re probably adding in a bunch of changes, so it may take a while 🙂 Be cognizant of the work they do and respectful of the time they give you. Helps everyone.