Update default from http to https in urlize when protocol not provided

[Saravana]

In django/utils/html.py, urlize there is:

url = smart_urlquote("http://%s" % html.unescape(middle))

When user input does not include a protocol it defaults to http (Insecure Protocol).

Example :
Considered a web app using urlize() for password reset email template

input = "Password reset link myapp.com/password/reset/{token}"

output:

"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"

so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to ​https://

[Sarah Boyce]

Thank you!
Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.

[Adam Johnson]

I think we can use a plan similar to how #34380 shook out, with a plan like:

1. Introduce a transitional setting (URLIZE_ASSUME_HTTPS) that defaults to False. This goes on the deprecation plan for removal in N+2 versions.
2. When the ​responsible code path is hit (which should be fairly rare as it only applies to ​limited domains), check the setting. If it’s False, warn and use 'http', otherwise use 'https'.