Codex tools: Log in
Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. This function encodes characters as HTML entities: use it when generating an (X)HTML or XML document. Encodes ampersands (&) and single quotes (') as numeric entity references (&, ').
Replaces the deprecated clean_url().
<?php esc_url( $url, $protocols, $_context ); ?>
As featured in the Twenty Thirteen theme, although simplified for the sake of the example
<a href="<?php echo esc_url( home_url( '/' ) ); ?>">Home</a>
esc_url() is located in
See: Data Validation article for an in-depth discussion of input and output sanitization.