strtotime will return false if you give it weird information.
echo strtotime("<script>'); // bool(false)
However, if you do what you are doing and nest two statement you may not get what you expect.
echo strtotime('+1 day',strtotime('<script>')); // int(86400)
And date returns the beginning of the universe, the day of creation– January 1, 1970– if given weird data.
echo date('1 F j Y',strtotime('+1 day',strtotime('<script>')));
So, I don’t think you really have a sanitization issue, but it may not work the way you want.
That said, I’d strip every character that should not be in the date string, just in case. Maybe…
$display_date = preg_replace('/[^A-Za-z0-9+]*/','',$display_date); // assuming that you are encoding the spaces with a "+"
That will go a long way toward crippling injections, but won’t give you sane dates.
I don’t see anywhere that you are sending anything to the DB. You shouldn’t be sanitizing your page output (though sanitizing output is good) and expecting it to carry over to when the form processes or the link gets clicked. You should be sanitizing this just before the query runs (and using prepare) but I don’t see that part of the code at all.