Formatting: Allow specifying https:// as the default protocol in esc_url().

`esc_url()` will now  prepend `https://` to the URL if it does not already contain a scheme and the first item in the `$protocols` array is `'https'`.

Follow-up to [5088], [6015], [13299], [33851], [60672].

Props sabernhardt, mkaz, rachelbaker, audrasjb, costdev, aksl95, johnbillion, pcarvalho, SergeyBiryukov.
Fixes #52886.

git-svn-id: https://develop.svn.wordpress.org/trunk@60734 602fd350-edb4-49c9-b593-d223f7449a82

Author: SergeyBiryukov

src/wp-includes/formatting.php

@@ -4642,6 +4642,8 @@ function esc_sql( $data ) {
  * is applied to the returned cleaned URL.
  *
  * @since 2.8.0
+ * @since 6.9.0 Prepends `https://` to the URL if it does not already contain a scheme
+ *              and the first item in `$protocols` is 'https'.
  *
  * @param string   $url       The URL to be cleaned.
  * @param string[] $protocols Optional. An array of acceptable protocols.
@@ -4674,12 +4676,14 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
 	/*
 	 * If the URL doesn't appear to contain a scheme, we presume
 	 * it needs http:// prepended (unless it's a relative link
-	 * starting with /, # or ?, or a PHP file).
+	 * starting with /, # or ?, or a PHP file). If the first item
+	 * in $protocols is 'https', then https:// is prepended.
 	 */
 	if ( ! str_contains( $url, ':' ) && ! in_array( $url[0], array( '/', '#', '?' ), true ) &&
 		! preg_match( '/^[a-z0-9-]+?\.php/i', $url )
 	) {
-		$url = 'http://' . $url;
+		$scheme = ( is_array( $protocols ) && 'https' === array_first( $protocols ) ) ? 'https://' : 'http://';
+		$url    = $scheme . $url;
 	}
 
 	// Replace ampersands and single quotes only when displaying.

tests/phpunit/tests/formatting/escUrl.php

@@ -90,16 +90,48 @@ public function test_encoding() {
 	}
 
 	/**
+	 * @ticket 23605
+	 * @ticket 52886
+	 *
 	 * @covers ::wp_allowed_protocols
 	 */
 	public function test_protocol() {
 		$this->assertSame( 'http://example.com', esc_url( 'http://example.com' ) );
 		$this->assertSame( '', esc_url( 'nasty://example.com/' ) );
 		$this->assertSame(
-			'',
+			'https://example.com',
+			esc_url(
+				'example.com',
+				array(
+					'https',
+				)
+			)
+		);
+		$this->assertSame(
+			'http://example.com',
 			esc_url(
 				'example.com',
 				array(
+					'http',
+				)
+			)
+		);
+		$this->assertSame(
+			'https://example.com',
+			esc_url(
+				'example.com',
+				array(
+					'https',
+					'http',
+				)
+			)
+		);
+		$this->assertSame(
+			'http://example.com',
+			esc_url(
+				'example.com',
+				array(
+					'http',
 					'https',
 				)
 			)