Fixes

PDowney · web-flow · commit dfc638e4b984 · 2026-02-28T17:47:30.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Security**: Moved `esc_textarea()` escaping to the point of output for textarea values, preventing a potential XSS vector
 - **Code Quality**: Refactored textarea rendering to place PHP open/close tags on their own lines, resolving Codacy best-practice warnings
 - **Critical**: Fixed whitespace embedded inside form field `name` attributes (checkbox and textarea) that prevented settings from ever being saved — `$_POST['es_optimizer_options']` was never set because browsers sent the literal newlines/tabs as part of the field name
 - **Critical**: Fixed inverted IP-validation logic in `es_optimizer_validate_single_domain()` that caused every domain name (e.g. `fonts.googleapis.com`) to be incorrectly rejected when saving preconnect/DNS-prefetch settings
diff --git a/readme.txt b/readme.txt
@@ -49,6 +49,7 @@ No, the plugin has a simple interface where you can toggle features on and off.
 * **BUG FIX (Critical)**: Fixed `es_optimizer_clear_options_cache()` which was not actually clearing the static options cache
 * **BUG FIX**: Fixed textarea content containing leading whitespace between the HTML tag and the PHP value output
 * **SECURITY**: Added missing `esc_url()` and `esc_html__()` escaping to the Settings link in the Plugins list
+* **SECURITY**: Moved `esc_textarea()` escaping to the point of output for textarea values, preventing a potential XSS vector
 * **SECURITY**: Removed redundant custom nonce field and its bypassable verification; CSRF protection is handled by WordPress Settings API
 * **CODE QUALITY**: Fixed double-escaping — render callers now pass `__()` instead of `esc_html__()`, with escaping done at output in the render functions
 * **CODE QUALITY**: Renamed 11 globally-scoped functions to use the `es_optimizer_` prefix, preventing potential naming collisions with other plugins
diff --git a/simple-wp-optimizer.php b/simple-wp-optimizer.php
@@ -499,9 +499,9 @@ function es_optimizer_render_textarea_option( $options, $option_name, $title, $d
 				?>
 			</small></p>
 			<?php
-			$textarea_value = isset( $options[ $option_name ] ) ? esc_textarea( $options[ $option_name ] ) : '';
+			$textarea_value = isset( $options[ $option_name ] ) ? $options[ $option_name ] : '';
 			?>
-			<textarea name="<?php printf( 'es_optimizer_options[%s]', esc_attr( $option_name ) ); ?>" rows="5" cols="50" class="large-text code"><?php echo $textarea_value; ?></textarea>
+			<textarea name="<?php printf( 'es_optimizer_options[%s]', esc_attr( $option_name ) ); ?>" rows="5" cols="50" class="large-text code"><?php echo esc_textarea( $textarea_value ); ?></textarea>
 		</td>
 	</tr>
 	<?php
