Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#50195 closed enhancement (wontfix)

Default esc_url scheme

Reported by: rahe's profile Rahe Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:



By default esc_url will add http:// to the schemeless urls, in my opinion it's more secure to generate https links by default if scheme unknown, and let the users to deactive this if needed.


Change History (4)

This ticket was mentioned in PR #276 on WordPress/wordpress-develop by Rahe.

4 years ago

Default esc_url scheme for unknown scheme

Trac ticket:

#2 @johnbillion
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the suggestion, but this isn't workable because if the host being linked to is not configured for HTTPS then the link will not work. If the server supports HTTPS then the HTTP URL usually redirects to it, but the opposite is not true.

#3 @Rahe
4 years ago


But if this is used on static ressources, you generate mixed content and possibly embed problematic content on protected site.
I can edit my PR and let the http:// stays by default, so we can as developpers force https.

ocean90 commented on PR #276:

4 years ago

The ticket was closed as wontfix.

You might want to take a look at set_url_scheme() to enforce https.

Note: See TracTickets for help on using tickets.