Context Navigation

← Previous Ticket
Next Ticket →

#50195 closed enhancement (wontfix)

Default esc_url scheme

Reported by:	Rahe	Owned by:
Milestone:		Priority:	normal
Severity:	normal	Version:
Component:	Security	Keywords:
Focuses:		Cc:

Description

Hello,

By default esc_url will add http:// to the schemeless urls, in my opinion it's more secure to generate https links by default if scheme unknown, and let the users to deactive this if needed.

Nicolas,

Change History (4)

This ticket was mentioned in PR #276 on WordPress/wordpress-develop by Rahe.

5 years ago #1

Default esc_url scheme for unknown scheme

Trac ticket: https://core.trac.wordpress.org/ticket/50195

#2 @johnbillion
5 years ago

Milestone Awaiting Review deleted
Resolution set to wontfix
Status changed from new to closed

Thanks for the suggestion, but this isn't workable because if the host being linked to is not configured for HTTPS then the link will not work. If the server supports HTTPS then the HTTP URL usually redirects to it, but the opposite is not true.

#3 @Rahe
5 years ago

Hello,

But if this is used on static ressources, you generate mixed content and possibly embed problematic content on protected site.
I can edit my PR and let the http:// stays by default, so we can as developpers force https.

ocean90 commented on PR #276:

5 years ago #4

The ticket was closed as wontfix.

You might want to take a look at set_url_scheme() to enforce https.

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core