Merge pull request #1044 from Codeinwp/bugfix/1687

selul · web-flow · commit d701694de009 · 2026-04-01T10:31:45.000+03:00
Prevent cross site scripting
diff --git a/inc/tag_replacer.php b/inc/tag_replacer.php
@@ -504,7 +504,11 @@ public function add_missing_srcset_attributes( $tag, $missing_srcsets, $new_url,
 			$optimized_url = $this->change_url_for_size( $new_url, $width, $height, $dpr );
 
 			if ( $optimized_url ) {
-				$new_srcset_entries[] = $optimized_url . ' ' . $descriptor;
+				$escaped_url = esc_url( $optimized_url );
+				if ( empty( $escaped_url ) ) {
+					continue;
+				}
+				$new_srcset_entries[] = $escaped_url . ' ' . esc_attr( $descriptor );
 
 				// Add sizes attribute entry for responsive breakpoints
 				if ( $breakpoint > 0 ) {
