Escaping get_option( ‘time_format’ ) is nesserary?

Should you escape these?

$date_format="Y/m/d";
$time_format = get_option( 'time_format' );

No. That would be early escaping! Early escaping is very bad!

However, should you escape this?

echo'<td>'.$date .' '.$time.'</td>';

YES.

Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop yourself and escape.

Escaping is about enforcing assumptions and expectations. Why trust that it will be safe when you can escape and guarantee that it’s safe?

This protects you in multiple ways, e.g. if you use esc_html you’ve guaranteed the string will never contain HTML, even if you make changes in the future further up, filters get added, etc, you always know that it’s safe because you escaped at the moment of output.

tech