Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?

Yes, you do. Even if you have sanitised the value when saving it, you should always escape on output.

<a href="https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url( get_theme_mod("url' ) ); ?>">

If you’re outputting a mailto: link to an email address, you also need to escape this with esc_url(), just make sure that the mailto: part is included in the escaped value, so that it’s a valid URL:

<a href="https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url("mailto:' . get_theme_mod( 'mail' ) ); ?>">

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. How to allow &nbsp with wp_kses()?
  21. Using esc_attr_e
  22. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  23. Escaping crashes my output
  24. How to safely escape the title attribute
  25. How to safely escape data that contains HTML attributes
  26. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  27. Echoing a URL to a link
  28. wp_kses_post escaping doesn’t appear to work as described?
  29. file_get_contents | escaping doesnt show the page
  30. Help about Escaping
  31. How to keep specific tag from an html string?
  32. Escaping Issues
  33. Escaping and Special Characters (e.g. &)
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. How should esc_url be combined with trailingslashit?
  36. Correct way of using esc_attr() and esc_html()
  37. What are all the escape characters?
  38. How can I add ” character to a multi line string declaration in C#?
  39. Which characters need to be escaped when using Bash?
  40. Escape string Python for MySQL
  41. How do I use spaces in the Command Prompt?
  42. With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
  43. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  44. Escaping and sanitizing SVGs in metabox textarea
  45. Which WP functions do you need to use esc_html() or esc_url() on?
  46. What’s the difference between esc_* functions?
  47. What to use instead of wp_kses() in user output
  48. How to escape custom css?
  49. How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
  50. PHP Coding Standards, Widgets and Sanitization
  51. Should messages in WP_Error already be html escaped?
  52. When do I need to use esc_attr when using WordPress internal functions
  53. Disable escaping html
  54. Do you need to escape hard coded plain text?
  55. How do I stop HTML entities in a custom meta box from being un-htmlentitied?
  56. Why should I escape translatable strings? and how shall i do that?
  57. Do I need to use the esc_html() function on hard coded links?
  58. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  59. How Could I sanitize the receive data from this code
  60. Should you escape hardcoded URLs?
  61. When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
  62. Escape post image attachments added to template
  63. wp_query not searching with apostrophe
  64. Which escape function to use when escaping an email or plain text?
  65. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  66. Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
  67. Something is unescaping all html entities before output to browser [closed]
  68. How to get my post title to work with an apostrophe (‘s)?
  69. Securing/Escaping Output of file content – reading via fread() in PHP
  70. esc_js() breaks unicode sequences by removing the slash ‘\’ character
  71. Unexpected esc_html and esc_attr behaviour
  72. Allow HTML in Settings API input field
  73. Do we need to escape data that we receive from theme options?
  74. should I escape a literal url added in functions.php
  75. Why would you use esc_attr() on internal functions?
  76. How to allow single quote with esc_html__() without sprintf()
  77. How to safely return the HTML?
  78. product description text displays above website when in shop page [closed]
  79. Wrapping add_query_arg with esc_url not working
  80. wordpress post not showing my “” text>?
  81. Should I escape the html for the settings field created with add_settings_field?
  82. escape html in jQuery for WordPress
  83. echo cutom css code to WordPress page template file ? is this safe?
  84. Remove pre and code tags from WordPress
  85. Correct form of escaping and localization – functions.php breadcrumbs
  86. Escaping a Single Quote in str_replace for Nav Function
  87. wp_kses allow checkbox class and checked
  88. Escaping html for meta description
  89. How to make MySQL search queries with quotes
  90. Escaping WP_Query tax_query when term has special character(s)
  91. Escaping and sanitization
  92. Escaping WP_Query tax_query when term has special character(s)
  93. Escape html structure in php
  94. How to display post meta data in secure manner
  95. Allow iframe in custom meta box
  96. Escaping data from database (users table) is necessary?
  97. Escaping admin_url output being passed to js (esc_js vs esc_url)
  98. how to escape alert/window.location.replace with variable
  99. What is best practice when escaping the_title()?
  100. If necessary, how should wp_get_attachment_image() and its parameters be escaped?