From e7cea7748cc08254239e90f8846ff1085c3598d2 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 25 Jun 2026 12:46:43 +0530 Subject: [PATCH 1/2] fix: escape URLs to prevent XSS --- inc/url_replacer.php | 1 + 1 file changed, 1 insertion(+) diff --git a/inc/url_replacer.php b/inc/url_replacer.php index b358c52a..dac8c79c 100644 --- a/inc/url_replacer.php +++ b/inc/url_replacer.php @@ -163,6 +163,7 @@ public function build_url( $url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url ); } $normalized_ext = strtolower( $ext ); + $url = esc_url( $url ); if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) { $new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext ); if ( $is_uploaded ) { From 5de34a50cc35a91fd4fe49bae4e83f19e7af49be Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 25 Jun 2026 12:58:09 +0530 Subject: [PATCH 2/2] fix: escape URLs to prevent XSS --- inc/url_replacer.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/inc/url_replacer.php b/inc/url_replacer.php index dac8c79c..af827f3c 100644 --- a/inc/url_replacer.php +++ b/inc/url_replacer.php @@ -163,7 +163,10 @@ public function build_url( $url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url ); } $normalized_ext = strtolower( $ext ); - $url = esc_url( $url ); + $url = esc_url( $url ); + if ( empty( $url ) ) { + return $original_url; + } if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) { $new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext ); if ( $is_uploaded ) {