I have a following code:
<a href="<?php echo esc_url( esc_attr( get_month_link( get_the_time('Y'),
get_the_time('m') ) ) ); ?>"><?php the_time( get_option( 'date_format' ) ); ?></a>
My question is: am I doing to much unnecessary escaping because as you can see I am using
esc_url() combined with esc_attr(). Is this maybe an overkill? THX!!
分享 To summarize little bit: IMO you do not need escaping made by esc_attr (because your URL won't contain characters it escapes) and esc_url is useless too (because I don't think URL returned from get_month_year has to be sanitized - it's not an user input).
Then? Just remove them both:
<a href="<?php echo get_month_link( get_the_time('Y'), get_the_time('m') ); ?>"><?php the_time( get_option( 'date_format' ) ); ?></a>
Of course if you do not "trust" get_month_year parameters validation you can keep esc_url (but let me say this may be little bit too paranoic).
分享
