esc_url

Checks and cleans a URL.

Description

(string) esc_url( (string) $url, (constant) $protocols = null, (string) $_context = 'display' ); 

A number of characters are removed from the URL. If the URL is for displaying (the default behaviour) ampersands are also replaced. The filter is applied to the returned cleaned URL.

Returns (string)

The cleaned $url after the {@see 'clean_url'} filter is applied.

Parameters (3)

0. $url (string)
The URL to be cleaned.
1. $protocols — Optional. (constant) => null
An array of acceptable protocols. Defaults to return value of wp_allowed_protocols()
2. $context (string)
Private. Use esc_url_raw() for database usage.

Usage

  1. if ( !function_exists( 'esc_url' ) ) { 
  2. require_once ABSPATH . WPINC . '/formatting.php'; 
  3.  
  4. // The URL to be cleaned. 
  5. $url = ''; 
  6.  
  7. // Optional. An array of acceptable protocols. 
  8. // Defaults to return value of wp_allowed_protocols() 
  9. $protocols = null; 
  10.  
  11. // Private. Use esc_url_raw() for database usage. 
  12. $context = ''; 
  13.  
  14. // NOTICE! Understand what this does before running. 
  15. $result = esc_url($url, $protocols, $context); 
  16.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/formatting.php  
  1. function esc_url( $url, $protocols = null, $_context = 'display' ) { 
  2. $original_url = $url; 
  3.  
  4. if ( '' == $url ) 
  5. return $url; 
  6.  
  7. $url = str_replace( ' ', '%20', $url ); 
  8. $url = preg_replace('|[^a-z0-9-~+_.?#=!&;, /:%@$\|*\'()\[\]\\x80-\\xff]|i', '', $url); 
  9.  
  10. if ( '' === $url ) { 
  11. return $url; 
  12.  
  13. if ( 0 !== stripos( $url, 'mailto:' ) ) { 
  14. $strip = array('%0d', '%0a', '%0D', '%0A'); 
  15. $url = _deep_replace($strip, $url); 
  16.  
  17. $url = str_replace(';//', '://', $url); 
  18. /** If the URL doesn't appear to contain a scheme, we 
  19. * presume it needs http:// prepended (unless a relative 
  20. * link starting with /, # or ? or a php file). 
  21. */ 
  22. if ( strpos($url, ':') === false && ! in_array( $url[0], array( '/', '#', '?' ) ) && 
  23. ! preg_match('/^[a-z0-9-]+?\.php/i', $url) ) 
  24. $url = 'http://' . $url; 
  25.  
  26. // Replace ampersands and single quotes only when displaying. 
  27. if ( 'display' == $_context ) { 
  28. $url = wp_kses_normalize_entities( $url ); 
  29. $url = str_replace( '&', '&', $url ); 
  30. $url = str_replace( "'", ''', $url ); 
  31.  
  32. if ( ( false !== strpos( $url, '[' ) ) || ( false !== strpos( $url, ']' ) ) ) { 
  33.  
  34. $parsed = wp_parse_url( $url ); 
  35. $front = ''; 
  36.  
  37. if ( isset( $parsed['scheme'] ) ) { 
  38. $front .= $parsed['scheme'] . '://'; 
  39. } elseif ( '/' === $url[0] ) { 
  40. $front .= '//'; 
  41.  
  42. if ( isset( $parsed['user'] ) ) { 
  43. $front .= $parsed['user']; 
  44.  
  45. if ( isset( $parsed['pass'] ) ) { 
  46. $front .= ':' . $parsed['pass']; 
  47.  
  48. if ( isset( $parsed['user'] ) || isset( $parsed['pass'] ) ) { 
  49. $front .= '@'; 
  50.  
  51. if ( isset( $parsed['host'] ) ) { 
  52. $front .= $parsed['host']; 
  53.  
  54. if ( isset( $parsed['port'] ) ) { 
  55. $front .= ':' . $parsed['port']; 
  56.  
  57. $end_dirty = str_replace( $front, '', $url ); 
  58. $end_clean = str_replace( array( '[', ']' ), array( '%5B', '%5D' ), $end_dirty ); 
  59. $url = str_replace( $end_dirty, $end_clean, $url ); 
  60.  
  61.  
  62. if ( '/' === $url[0] ) { 
  63. $good_protocol_url = $url; 
  64. } else { 
  65. if ( ! is_array( $protocols ) ) 
  66. $protocols = wp_allowed_protocols(); 
  67. $good_protocol_url = wp_kses_bad_protocol( $url, $protocols ); 
  68. if ( strtolower( $good_protocol_url ) != strtolower( $url ) ) 
  69. return ''; 
  70.  
  71. /** 
  72. * Filters a string cleaned and escaped for output as a URL. 
  73. * @since 2.3.0 
  74. * @param string $good_protocol_url The cleaned URL to be returned. 
  75. * @param string $original_url The URL prior to cleaning. 
  76. * @param string $_context If 'display', replace ampersands and single quotes only. 
  77. */ 
  78. return apply_filters( 'clean_url', $good_protocol_url, $original_url, $_context );