From bf2437194ba90dad3660a56c0aed301aeca4cde0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jun 2026 09:24:03 +0000 Subject: [PATCH 1/3] chore(deps): bump codeinwp/themeisle-sdk from 3.3.52 to 3.3.53 Bumps [codeinwp/themeisle-sdk](https://github.com/Codeinwp/themeisle-sdk) from 3.3.52 to 3.3.53. - [Release notes](https://github.com/Codeinwp/themeisle-sdk/releases) - [Changelog](https://github.com/Codeinwp/themeisle-sdk/blob/v3.3.53/CHANGELOG.md) - [Commits](https://github.com/Codeinwp/themeisle-sdk/compare/v3.3.52...v3.3.53) --- updated-dependencies: - dependency-name: codeinwp/themeisle-sdk dependency-version: 3.3.53 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index 70a45f65..70769c11 100644 --- a/composer.lock +++ b/composer.lock @@ -64,16 +64,16 @@ }, { "name": "codeinwp/themeisle-sdk", - "version": "3.3.52", + "version": "3.3.53", "source": { "type": "git", "url": "https://github.com/Codeinwp/themeisle-sdk.git", - "reference": "d1ae68cbd4f84934b4d982e9eeff317b9f4c814a" + "reference": "a657eaedf62cc84c82e539167ac9e19b3e618ce8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/d1ae68cbd4f84934b4d982e9eeff317b9f4c814a", - "reference": "d1ae68cbd4f84934b4d982e9eeff317b9f4c814a", + "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/a657eaedf62cc84c82e539167ac9e19b3e618ce8", + "reference": "a657eaedf62cc84c82e539167ac9e19b3e618ce8", "shasum": "" }, "require-dev": { @@ -99,9 +99,9 @@ ], "support": { "issues": "https://github.com/Codeinwp/themeisle-sdk/issues", - "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.52" + "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.53" }, - "time": "2026-05-14T19:43:56+00:00" + "time": "2026-06-18T07:32:53+00:00" }, { "name": "enshrined/svg-sanitize", From e7cea7748cc08254239e90f8846ff1085c3598d2 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 25 Jun 2026 12:46:43 +0530 Subject: [PATCH 2/3] fix: escape URLs to prevent XSS --- inc/url_replacer.php | 1 + 1 file changed, 1 insertion(+) diff --git a/inc/url_replacer.php b/inc/url_replacer.php index b358c52a..dac8c79c 100644 --- a/inc/url_replacer.php +++ b/inc/url_replacer.php @@ -163,6 +163,7 @@ public function build_url( $url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url ); } $normalized_ext = strtolower( $ext ); + $url = esc_url( $url ); if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) { $new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext ); if ( $is_uploaded ) { From 5de34a50cc35a91fd4fe49bae4e83f19e7af49be Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 25 Jun 2026 12:58:09 +0530 Subject: [PATCH 3/3] fix: escape URLs to prevent XSS --- inc/url_replacer.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/inc/url_replacer.php b/inc/url_replacer.php index dac8c79c..af827f3c 100644 --- a/inc/url_replacer.php +++ b/inc/url_replacer.php @@ -163,7 +163,10 @@ public function build_url( $url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url ); } $normalized_ext = strtolower( $ext ); - $url = esc_url( $url ); + $url = esc_url( $url ); + if ( empty( $url ) ) { + return $original_url; + } if ( isset( Optml_Config::$image_extensions[ $normalized_ext ] ) ) { $new_url = $this->normalize_image( $url, $original_url, $args, $is_uploaded, $normalized_ext ); if ( $is_uploaded ) {