Is this totally safe

Maybe it is, maybe it isn’t. I would approach this problem with another angle, ignoring safety just for now…

URL encoding serves a purpose: percent-encoding (what it’s actual name is) a url. Imagine “url encoding” would replace all spaces with <space width='1'> instead of the actual %20 or whatever the heck it does now. The url “...?q=foo bar” would become, in our imaginary example, “...?q=foo<space width='1'>bar” and be a correctly “url encoded” url. This might be useful in a PDF or CSV file or whatever other type of output you’d be creating, but in HTML this would cause trouble. In your case because of the ' which would “end” the href attribute leaving 1'> as garbage.

<a href='https://example.com/search?q=foo<space width='1'>'>

Because your output is intended for HTML you should actually, IMHO at least, do HTMLEncode(URLEncode(MyUrl)) (pseudocode).

Remember this: escaping is always done within a specific context. For SQL you need some “mysql_real_escape”-alike stuff to escape quotes etc. to avoid SQL injection vulnarabilities. In HTML you need to escape characters like " and <, in an RTF file you would need to escape even other strings/characters like (I don’t actually know) \ would become \\ or something similar, in a CSV file you’d need to escape , or ; within a field value and in a JSON output you’d need a string containing a " to be escaped as \". Each type of output(format) needs it’s own escaping/encoding.

What you are now doing is “nesting contexts”, you’re nesting a “url context” in an “HTML context”. So you’d have to escape/encode accordingly.

As TrueBlue demonstrates it is not safe.