Yes, you do. Even if you have sanitised the value when saving it, you should always escape on output.
<a href="https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url( get_theme_mod("url' ) ); ?>">
If you’re outputting a mailto:
link to an email address, you also need to escape this with esc_url()
, just make sure that the mailto:
part is included in the escaped value, so that it’s a valid URL:
<a href="https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url("mailto:' . get_theme_mod( 'mail' ) ); ?>">
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- Escaping get_option( ‘time_format’ ) is nesserary?
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Illegal Escape Character “\”
- Which characters need to be escaped when using Bash?
- What does it mean to escape a string?
- Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
- Escaping HTML strings with jQuery
- How do I escape ampersands in XML so they are rendered as entities in HTML?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Best Practice for PHP
- Escaping and sanitizing SVGs in metabox textarea
- Sanitize and data validation with apply_filters() function
- Difference between esc_url() and esc_url_raw()
- What to use instead of wp_kses() in user output
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- Escaping WP_Query tax_query when term has special character(s)
- Do I need to escape data passed to wp_localize_script()?
- Should messages in WP_Error already be html escaped?
- Escaping built-in WP function return strings
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- Prevent add_shortcode from escaping a tag
- Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
- wp_specialchars and wp_specialchars_decode in a shortcode plugin
- Sanitizing comments or escaping comment_text()
- Prevent escaping javascript in visual editor
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- How Could I sanitize the receive data from this code
- Quotes being escaped inside wp_editor when saved with wp_kses_post
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- wp_query not searching with apostrophe
- Is it safe and good practice to use do_shortcode to escape?
- Post Content, Special Characters and Filters
- Something is unescaping all html entities before output to browser [closed]
- Securing/Escaping Output of file content – reading via fread() in PHP
- WordPress stripping away backslashes from HTML
- Updating post data on save (save_post vs wp_insert_post_data)
- What is the safe way to print tracking code / pixel code before tag or tag
- mysql_real_escape_string() vs. esc_sql() in WordPress
- Unexpected esc_html and esc_attr behaviour
- How to escape html generate by a loop
- HTML escaping data with ajax requests
- Add HTML to Term Description
- should I escape a literal url added in functions.php
- Is there any solution, ide/tool etc., for automatic escaping for WordPress?
- How to allow single quote with esc_html__() without sprintf()
- Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
- Wrapping add_query_arg with esc_url not working
- ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
- How to pass an array as attribute of shortcode to work properly shortcode parser?
- wordpress post not showing my “” text>?
- How to correctly escape an echo
- Escaping a WPDB Object in One Shot
- How to make MySQL search queries with quotes
- Escaping WP_Query tax_query when term has special character(s)
- Escape html structure in php
- site_url() returns with additional backslashes
- Code auto escaping is not working when using short codes
- Allow iframe in custom meta box
- problem with quotes on new post
- Escaping data from database (users table) is necessary?
- esc_url, esc_url_raw or sanitize_url?
- how to sanitizing $_POST with the correct way?