From 978834e4a4088249f18181ac7b47a475f93aa56c Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Thu, 2 Apr 2026 11:08:43 +0530
Subject: [PATCH 1/2] fix: escape url to prevent xss

---
 inc/manager.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/manager.php b/inc/manager.php
index a8925a90..d3322c3a 100644
--- a/inc/manager.php
+++ b/inc/manager.php
@@ -456,7 +456,7 @@ public function replace_content( $html, $partial = false ) {
 					$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );
 					$js_optimizer = str_replace(
 						[ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],
-						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $this->get_current_url() ],
+						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, esc_url( esc_js( $this->get_current_url() ) ) ],
 						$js_optimizer
 					);
 					$html = str_replace( Optml_Admin::get_optimizer_script( true ), $js_optimizer, $html );

From 537fc2f5b35a072560052b612dce577f14831b2d Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Thu, 2 Apr 2026 11:24:15 +0530
Subject: [PATCH 2/2] fix: escape url generation to enhance security

---
 inc/manager.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/inc/manager.php b/inc/manager.php
index d3322c3a..ffb713c7 100644
--- a/inc/manager.php
+++ b/inc/manager.php
@@ -453,10 +453,11 @@ public function replace_content( $html, $partial = false ) {
 				if ( ! $this->page_profiler->exists_all( $profile_id ) ) {
 					$missing = $this->page_profiler->missing_devices( $profile_id );
 					$time = time();
-					$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );
+					$url  = esc_url( esc_js( $this->get_current_url() ) );
+					$hmac = wp_hash( $profile_id . $time . $url, 'nonce' );
 					$js_optimizer = str_replace(
 						[ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],
-						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, esc_url( esc_js( $this->get_current_url() ) ) ],
+						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $url ],
 						$js_optimizer
 					);
 					$html = str_replace( Optml_Admin::get_optimizer_script( true ), $js_optimizer, $html );