fix(totp): otpauth link in QR code URL

[sjinks]

What?

The TOTP URL inside the #two-factor-qr-code paragraph in the User Profile is not rendered because esc_url() returns an empty string if it encounters an unknown/not allowed protocol.

Fixes: #783

Why?

esc_url() returns an empty string if it encounters an unknown/not allowed protocol. otpauth: is not among the allowed ones.

How?

Pass array( 'otpauth' ) to esc_url().

Testing Instructions

1. Log in.
2. Got to /wp-admin/profile.php
3. Check the link around the QR code under the "Please scan the QR code or manually copy the shared secret key from below to your Authenticator app:" label.

Screenshots or screencast

Changelog Entry

Fixed - OTP Authentication URL is rendered correctly.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: sjinks <volodymyrkolesnykov@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[kasparsd]

Thank you! Not sure how this got missed. I see that other instances have the protocol added correctly.

[sjinks]

I was training my agent (it reviews plugins and scans them for security issues and bugs - I am doing this for WPVIP), and it found this issue 🙂

[kasparsd]

@sjinks Nice!

Does that mean that WPVIP is now running the latest revision of the plugin?

[sjinks]

Automattic/vip-go-mu-plugins#6742

0.14.2 runs in staging environments. Tomorrow it will be in production.