Syntax

esc_url( string $url, array $protocols = null, string $_context = ‘display’ )

Usage

It is used to clean and escape for output as a URL and to convert and fixe the HTML entities.  Sanitizes a string and removes disallowed URL protocols. Retrieve a list of protocols to allow in HTML attributes.
Add this below code in wp-includes/plugin.php


function esc_url( $url, $protocols = null, $_context = 'display' ) {
    $original_url = $url;
    if ( '' == $url ) {
        return $url;
    }
    $url = str_replace( ' ', '%20', ltrim( $url ) );
    $url = preg_replace( '|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\[\]\\x80-\\xff]|i', '', $url );
    if ( '' === $url ) {
        return $url;
    }
    if ( 0 !== stripos( $url, 'mailto:' ) ) {
        $strip = array( '%0d', '%0a', '%0D', '%0A' );
        $url = _deep_replace( $strip, $url );
    }
    $url = str_replace( ';//', '://', $url );
   
    if ( strpos( $url, ':' ) === false && ! in_array( $url[0], array( '/', '#', '?' ) ) &&
        ! preg_match( '/^[a-z0-9-]+?\.php/i', $url ) ) {
        $url = 'http://' . $url;
    }
    // Replace ampersands and single quotes only when displaying.
    if ( 'display' == $_context ) {
        $url = wp_kses_normalize_entities( $url );
        $url = str_replace( '&', '&', $url );
        $url = str_replace( "'", ''', $url );
    }
    if ( ( false !== strpos( $url, '[' ) ) || ( false !== strpos( $url, ']' ) ) ) {
        $parsed = wp_parse_url( $url );
        $front = '';
        if ( isset( $parsed['scheme'] ) ) {
            $front .= $parsed['scheme'] . '://';
        } elseif ( '/' === $url[0] ) {
            $front .= '//';
        }
        if ( isset( $parsed['user'] ) ) {
            $front .= $parsed['user'];
        }
        if ( isset( $parsed['pass'] ) ) {
            $front .= ':' . $parsed['pass'];
        }
        if ( isset( $parsed['user'] ) || isset( $parsed['pass'] ) ) {
            $front .= '@';
        }
        if ( isset( $parsed['host'] ) ) {
            $front .= $parsed['host'];
        }
        if ( isset( $parsed['port'] ) ) {
            $front .= ':' . $parsed['port'];
        }
        $end_dirty = str_replace( $front, '', $url );
        $end_clean = str_replace( array( '[', ']' ), array( '%5B', '%5D' ), $end_dirty );
        $url   = str_replace( $end_dirty, $end_clean, $url );
    }
    if ( '/' === $url[0] ) {
        $good_protocol_url = $url;
    } else {
        if ( ! is_array( $protocols ) ) {
            $protocols = wp_allowed_protocols();
        }
        $good_protocol_url = wp_kses_bad_protocol( $url, $protocols );
        if ( strtolower( $good_protocol_url ) != strtolower( $url ) ) {
            return '';
        }
    }
    return apply_filters( 'clean_url', $good_protocol_url, $original_url, $_context );
}