FPCSJames
commented
6 years ago This is mostly fine - in fact, you don't need to escape the permalink, as that's already sanitized by WP. However, for the title attribute, you should do:
the_title_attribute(array('echo' => false, 'post' => $item->ID));
See this comment.
Otherwise what you're doing is very similar to what's done in the loop and given as example in the codex and dev docs.
Currently using
$return .= '<a href="' . esc_url($permalink) . '" title="' . esc_html($post_title) . '" rel="nofollow">' . esc_html($post_title) . '</a> ';This shows the HTML to the user unlike the title in a WordPress loop.