•  04-07-2022
  •  | 
  •  

Question

I have a following code:

<a href="<?php echo esc_url( esc_attr( get_month_link( get_the_time('Y'), 
get_the_time('m') ) ) ); ?>"><?php the_time( get_option( 'date_format' )  ); ?></a>

My question is: am I doing to much unnecessary escaping because as you can see I am using esc_url() combined with esc_attr(). Is this maybe an overkill? THX!!

Was it helpful?

Solution

To summarize little bit: IMO you do not need escaping made by esc_attr (because your URL won't contain characters it escapes) and esc_url is useless too (because I don't think URL returned from get_month_year has to be sanitized - it's not an user input).

Then? Just remove them both:

<a href="<?php echo get_month_link( get_the_time('Y'), get_the_time('m') ); ?>"><?php the_time( get_option( 'date_format' )  ); ?></a>

Of course if you do not "trust" get_month_year parameters validation you can keep esc_url (but let me say this may be little bit too paranoic).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top