How important is sanitation, like esc_url()?

Hello :slight_smile:

With the recent reports and many hack reports on the wp_query_arg() thing, I've been wondering, how important is sanitation of URLs?

For example, the following code, would it be abuse-able on the front-end if esc_url() wasn't there?

//* Add arrow to link
//* [linkactive href="https://mylink/"]link text[/linkactive]
function hmpl_linkactive_shortcode( $atts, $content = null ) {
	$atts = shortcode_atts( array(
		'href' => '/',
		'target' => '_self',
	), $atts, 'linkactive' );

	return '<span class="link-active"><a href="' . esc_url(esc_attr($atts['href'])) . '" target="' . esc_attr($atts['target']) . '"><span class="fa fa-chevron-right"></span> ' . $content . '</a></span>';
add_shortcode( 'linkactive', 'hmpl_linkactive_shortcode' );

Even more extreme, a hard-coded url, does it need sanitation while it's outside of PHP's scope, e.g. between ?> and <?php tags (rather than <?php and ?>, example of my nav:

?> <!-- a lot of code here -->
<a class="lhover nav-desktop" href="" target="_self" tabindex="2">
					<span class="desktopmenu">Handleiding</span>
				<input type="radio" name="nav-tabs" id="nav-tab-guide" class="nav-radio">
				<label for="nav-tab-guide" class="nav-mobile-icon">
					<span class="mobile-nav-link">
						<span class="link-inactive">
							<span class="fa fa-book"></span>
						<a class="link-active" href="" target="_self">
							<span class="fa fa-book"></span>
				<div class="nav-mega">
					<div class="nav-content">
						<?php hmpl_nav_mega_guide(); ?>
<!-- more code here -->

I'm not a cracker by nature, I'm just a regular hacker :3 so it kinda baffles me how someone would find a security hole through a cached page (in HTML that is).

So any enlightenment would be awesome!


P.S. my nav alone is ~612 lines of hard coded html within php, lol.
For anyone interested, feel free to take this open-source file, it's a nice start to get a mega-nav + mobile-nav in one without javascript. It's written within the Genesis framework and contains an important part of the admin-bar without showing it on mobile ^^ from line 481 through 612: