From 789ad72ae0952d7a97a5670cff67689f68967c78 Mon Sep 17 00:00:00 2001 From: "Stephen A. Bernhardt" Date: Thu, 11 Sep 2025 01:40:04 -0500 Subject: [PATCH 1/3] Try replacing hardcoded http --- src/wp-includes/formatting.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 258a261bd4983..2d0414bc043d6 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -4679,7 +4679,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { if ( ! str_contains( $url, ':' ) && ! in_array( $url[0], array( '/', '#', '?' ), true ) && ! preg_match( '/^[a-z0-9-]+?\.php/i', $url ) ) { - $url = 'http://' . $url; + $scheme = ( is_array( $protocols ) && 'https' === reset( $protocols ) ) ? 'https://' : 'http://'; + $url = $scheme . $url; } // Replace ampersands and single quotes only when displaying. From 9a4ef7a09a368de6cf75f2c11e04faf740781d75 Mon Sep 17 00:00:00 2001 From: "Stephen A. Bernhardt" Date: Thu, 11 Sep 2025 02:12:03 -0500 Subject: [PATCH 2/3] Change `test_protocol()` unit test to fit new behavior --- tests/phpunit/tests/formatting/escUrl.php | 34 ++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/tests/phpunit/tests/formatting/escUrl.php b/tests/phpunit/tests/formatting/escUrl.php index 6fdd582617a19..e994ecdebd30b 100644 --- a/tests/phpunit/tests/formatting/escUrl.php +++ b/tests/phpunit/tests/formatting/escUrl.php @@ -90,16 +90,48 @@ public function test_encoding() { } /** + * @ticket 23605 + * @ticket 52886 + * * @covers ::wp_allowed_protocols */ public function test_protocol() { $this->assertSame( 'http://example.com', esc_url( 'http://example.com' ) ); $this->assertSame( '', esc_url( 'nasty://example.com/' ) ); $this->assertSame( - '', + 'https://example.com', + esc_url( + 'example.com', + array( + 'https', + ) + ) + ); + $this->assertSame( + 'http://example.com', esc_url( 'example.com', array( + 'http', + ) + ) + ); + $this->assertSame( + 'https://example.com', + esc_url( + 'example.com', + array( + 'https', + 'http', + ) + ) + ); + $this->assertSame( + 'http://example.com', + esc_url( + 'example.com', + array( + 'http', 'https', ) ) From fa611c39ca2610632028feb8f60625eee24fc033 Mon Sep 17 00:00:00 2001 From: "Stephen A. Bernhardt" Date: Fri, 12 Sep 2025 01:38:54 -0500 Subject: [PATCH 3/3] Add to comment in `esc_url()` --- src/wp-includes/formatting.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 2d0414bc043d6..1c5535b735368 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -4674,7 +4674,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { /* * If the URL doesn't appear to contain a scheme, we presume * it needs http:// prepended (unless it's a relative link - * starting with /, # or ?, or a PHP file). + * starting with /, # or ?, or a PHP file). If the first item + * in $protocols is 'https', then https:// is prepended. */ if ( ! str_contains( $url, ':' ) && ! in_array( $url[0], array( '/', '#', '?' ), true ) && ! preg_match( '/^[a-z0-9-]+?\.php/i', $url )