fix: escape URLs to prevent XSS

girishpanchal30 · girishpanchal30 · commit e7cea7748cc0 · 2026-06-25T12:46:43.000+05:30
diff --git a/inc/url_replacer.php b/inc/url_replacer.php
@@ -163,6 +163,7 @@ public function build_url(
 			$url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url );
 		}
 		$normalized_ext = strtolower( $ext );
+		$url            = esc_url( $url );
 		if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) {
 			$new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext );
 			if ( $is_uploaded ) {

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,7 @@ public function build_url(`
`163`	`163`	`$url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url );`
`164`	`164`	`}`
`165`	`165`	`$normalized_ext = strtolower( $ext );`
	`166`	`+ $url = esc_url( $url );`
`166`	`167`	`if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) {`
`167`	`168`	`$new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext );`
`168`	`169`	`if ( $is_uploaded ) {`