Changes between Version 5 and Version 16 of Ticket #52886

Timestamp:

07/09/2025 09:50:51 PM (4 months ago)

Author:

sabernhardt

Comment:

@pcarvalho suggested using the first allowed $protocols value (in the existing argument).

The following code would change the ​fallback scheme to https:// only if

1. esc_url() or esc_url_raw() includes an array as the second argument and
2. 'https' is the first value in that array.

$scheme = ( is_array( $protocols ) && 'https' === reset( $protocols ) ) ? 'https://' : 'http://';
$url    = $scheme . $url;

Results:

echo esc_url( 'example.org' );                                       // http://example.org
echo esc_url( 'http-first.example.org', array( 'http', 'https' ) );  // http://http-first.example.org
echo esc_url( 'https-first.example.org', array( 'https', 'http' ) ); // https://https-first.example.org

---

I also tried to change the default with a filter (kses_allowed_protocols), though supporting that could be unnecessarily complex. If customizing the order of the wp_allowed_protocols() array would not cause problems elsewhere, then esc_url() might check whether 'https' is the first value in either the $protocols argument or the allowed protocols array:

$scheme            = 'http://';
$allowed_protocols = wp_allowed_protocols();
if ( is_array( $allowed_protocols ) && in_array( 'https', $allowed_protocols )
        && ( is_array( $protocols ) && 'https' === reset( $protocols ) || ( ! is_array( $protocols ) && 'https' === reset( $allowed_protocols ) ) ) ) {
        $scheme = 'https://';
}
$url = $scheme . $url;

Results:

echo esc_url( 'example.org' );                                       // https://example.org
echo esc_url( 'http-first.example.org', array( 'http', 'https' ) );  // http://http-first.example.org
echo esc_url( 'https-first.example.org', array( 'https', 'http' ) ); // https://https-first.example.org