Make WordPress Core

Opened 17 months ago

Closed 17 months ago

Last modified 16 months ago

#50195 closed enhancement (wontfix)

Default esc_url scheme

Reported by: Rahe Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:



By default esc_url will add http:// to the schemeless urls, in my opinion it's more secure to generate https links by default if scheme unknown, and let the users to deactive this if needed.


Change History (4)

This ticket was mentioned in PR #276 on WordPress/wordpress-develop by Rahe.

17 months ago

Default esc_url scheme for unknown scheme

Trac ticket: https://core.trac.wordpress.org/ticket/50195

#2 @johnbillion
17 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the suggestion, but this isn't workable because if the host being linked to is not configured for HTTPS then the link will not work. If the server supports HTTPS then the HTTP URL usually redirects to it, but the opposite is not true.

#3 @Rahe
17 months ago


But if this is used on static ressources, you generate mixed content and possibly embed problematic content on protected site.
I can edit my PR and let the http:// stays by default, so we can as developpers force https.

#4 @prbot
16 months ago

ocean90 commented on PR #276:

The ticket was closed as wontfix.

You might want to take a look at set_url_scheme() to enforce https.

Note: See TracTickets for help on using tickets.