[wp-trac] [WordPress Trac] #52886: Update esc_url to allow for specifying an https:// as default protocol
WordPress Trac
noreply at wordpress.org
Wed Jul 9 21:50:51 UTC 2025
#52886: Update esc_url to allow for specifying an https:// as default protocol
-------------------------------------------------+-------------------------
Reporter: mkaz | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-dev-note has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Old description:
> If no protocol is specified for esc_url the function will automatically
> prepend the http:// protocol. This is likely now the wrong assumption,
> but potentially can break backwards compatibility if changed, since
> developers may rely on this.
>
> So this change proposes an additional parameter to the function to
> specify a default protocol, keeping the old default but now allowing for
> one to ask for https://
>
> This came up in this ticket:
> https://github.com/WordPress/gutenberg/pull/30100
>
> The usage could then be:
>
> {{{
> esc_url( $url, null, 'display', 'https://' );
> }}}
New description:
If no protocol is specified for `esc_url` the function will automatically
prepend the `http://` protocol. This is likely now the wrong assumption,
but potentially can break backwards compatibility if changed, since
developers may rely on this.
So this change proposes an additional parameter to the function to specify
a default protocol, keeping the old default but now allowing for one to
ask for `https://`
This came up in this ticket:
[https://github.com/WordPress/gutenberg/pull/30100 GB30100]
The usage could then be:
{{{
esc_url( $url, null, 'display', 'https://' );
}}}
--
Comment (by sabernhardt):
@pcarvalho suggested using the
[https://core.trac.wordpress.org/ticket/46673#comment:4 first allowed
$protocols] value (in the existing argument).
The following code would change the [https://github.com/WordPress
/wordpress-develop/blob/trunk/src/wp-includes/formatting.php#L4508
fallback] scheme to `https://` only if
1. `esc_url()` or `esc_url_raw()` includes an array as the second argument
and
2. 'https' is the first value in that array.
{{{#!php
$scheme = ( is_array( $protocols ) && 'https' === reset( $protocols ) ) ?
'https://' : 'http://';
$url = $scheme . $url;
}}}
Results:
{{{#!php
echo esc_url( 'example.org' ); //
http://example.org
echo esc_url( 'http-first.example.org', array( 'http', 'https' ) ); //
http://http-first.example.org
echo esc_url( 'https-first.example.org', array( 'https', 'http' ) ); //
https://https-first.example.org
}}}
----
I also tried to change the default with a filter
(`kses_allowed_protocols`), though supporting that could be unnecessarily
complex. If customizing the order of the `wp_allowed_protocols()` array
would not cause problems elsewhere, then `esc_url()` might check whether
'https' is the first value in either the `$protocols` argument or the
allowed protocols array:
{{{#!php
$scheme = 'http://';
$allowed_protocols = wp_allowed_protocols();
if ( is_array( $allowed_protocols ) && in_array( 'https',
$allowed_protocols )
&& ( is_array( $protocols ) && 'https' === reset( $protocols ) ||
( ! is_array( $protocols ) && 'https' === reset( $allowed_protocols ) ) )
) {
$scheme = 'https://';
}
$url = $scheme . $url;
}}}
Results:
{{{#!php
echo esc_url( 'example.org' ); //
https://example.org
echo esc_url( 'http-first.example.org', array( 'http', 'https' ) ); //
http://http-first.example.org
echo esc_url( 'https-first.example.org', array( 'https', 'http' ) ); //
https://https-first.example.org
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52886#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list