esc_url today while customizing an _s theme. I understand what the function does (sanitizes the URL inside), but what I’m unsure of is the scope of its use.
It makes sense to me that if I’m accepting a URL input from a user, that I’d use this. But when I was looking at a function that displayed the entry’s meta info (see it here…line 129 at the moment), it used
esc_url, which doesn’t make sense to me.
If I’m working on a theme, do I need to be escaping ANY URL that I put in my template files?
Those function are used to produce a valid HTML and not to sanitize input. You should use them anytime you are not 100% sure that what you want to output is a valid HTML for that context.
Should you escape everything? I guess the _s theme people decided that it is better to be safe then sorry, and there is some logic to that.