esc_url_raw() – Function | Developer.WordPress.org

Sanitizes a URL for database or redirect usage.

Description

This function is an alias for sanitize_url() .

Parameters

$urlstringrequired: The URL to be cleaned.
$protocolsstring[]optional: An array of acceptable protocols.
Defaults to return value of wp_allowed_protocols() .
Default:null

Return

string The cleaned URL after sanitize_url() is run.

The esc_url_raw() function is similar to esc_url() (and actually uses it), but unlike esc_url() it does not replace entities for display. The resulting URL is safe to use in database queries and redirects.

Please do not use this function as the only sanitizer for HTTP requests, as this function is unable to sanitize against security attacks such as SSRF.

This function is not safe to use for displaying the URL, use esc_url() instead.

Source

function esc_url_raw( $url, $protocols = null ) {
	return sanitize_url( $url, $protocols );
}

View all references View on Trac View on GitHub

Uses	Description
sanitize_url()`wp-includes/formatting.php`	Sanitizes a URL for database or redirect usage.

Used by	Description
WP_Scripts::do_item()`wp-includes/class-wp-scripts.php`	Processes a script dependency.

Changelog

Version	Description
6.1.0	Turned into an alias for sanitize_url() .
2.8.0	Introduced.

User Contributed Notes

Codex 9 years ago

Right and Wrong usage

<!-- Right -->
$url = 'http://wordpress.org';
$response = wp_remote_get( esc_url_raw( $url ) ); // no need to escape entities

if ( ! is_wp_error( $response ) ) {
	echo wp_remote_retrieve_body( $response );
}

<!-- Wrong! Use esc_url instead! -->
<img src="<?php echo esc_url_raw( $url ); ?>" />
<a href="<?php echo esc_url_raw( $url ); ?>">WordPress</a>

esc_url_raw( string $url, string[] $protocols = null ): string

In this article