Describe the bug
URLs are sanitized with http, not https. This could lead to privacy loss / redirection / other attacks.
Steps to reproduce (I have confirmed I can reproduce this issue on the develop branch):
- Create a field of type
text_url
- Open a page with that field
- Enter
google.com in the field
- Save the page
Expected
https://google.com/
Actual
http://google.com/
Possible Solution
If the original URL didn't contain a protocol, use set_url_scheme() to set it to HTTPS.
Describe the bug
URLs are sanitized with http, not https. This could lead to privacy loss / redirection / other attacks.
Steps to reproduce (I have confirmed I can reproduce this issue on the
developbranch):text_urlgoogle.comin the fieldExpected
https://google.com/
Actual
http://google.com/
Possible Solution
If the original URL didn't contain a protocol, use
set_url_scheme()to set it to HTTPS.