This thing makes my coding difficult.
Wordpress codex reasons the use of esc_url by talking vaguely about security.
But is it really worth the trouble?
For example, what’s the important, practical security benefit by using
<?php echo esc_url( home_url( "https://wordpress.stackexchange.com/" ) ); ?>
instead of
<?php echo home_url() ?>
PS: I am not talking about theme development, but about a specific site.
If you check the documentation on Data Validation it has following to say about the function:
Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols […], eliminates invalid characters, and removes dangerous characters.
There you have it — practical security benefit. Valid protocol, no murky characters.
The answer about necessity is firmly yes. Escaping output is the most basic security practice.
