Skip to content

Escaped URLs to prevent XSS#1083

Merged
vytisbulkevicius merged 2 commits into
developmentfrom
bugfix/optimole-service/1711
Jun 25, 2026
Merged

Escaped URLs to prevent XSS#1083
vytisbulkevicius merged 2 commits into
developmentfrom
bugfix/optimole-service/1711

Conversation

@girishpanchal30

@girishpanchal30 girishpanchal30 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary:

Escaping the URL before passing it to the Optimole SDK to prevent XSS vulnerabilities.

All Submissions:

Closes https://github.com/Codeinwp/optimole-service/issues/1711

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@girishpanchal30 girishpanchal30 requested a review from Copilot June 25, 2026 07:18
@pirate-bot

pirate-bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Plugin build for 5de34a5 is ready 🛎️!

Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the legacy URL replacement pipeline (Optml_Url_Replacer) by sanitizing the source URL before it is passed into the Optimole SDK, aiming to reduce the risk of XSS via maliciously crafted URLs.

Changes:

  • Sanitize $url in Optml_Url_Replacer::build_url() using esc_url() before generating an optimized CDN URL.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread inc/url_replacer.php Outdated
Comment thread inc/url_replacer.php Outdated
$url = sprintf( '%s://%s', is_ssl() ? 'https' : 'http', $url );
}
$normalized_ext = strtolower( $ext );
$url = esc_url( $url );
@vytisbulkevicius vytisbulkevicius merged commit 5c89475 into development Jun 25, 2026
11 checks passed
@vytisbulkevicius vytisbulkevicius deleted the bugfix/optimole-service/1711 branch June 25, 2026 13:58
@pirate-bot

pirate-bot commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 4.2.8 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@pirate-bot pirate-bot added the released Indicate that an issue has been resolved and released in a particular version of the product. label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@Soare-Robert-Daniel Soare-Robert-Daniel Awaiting requested review from Soare-Robert-Daniel

Assignees

No one assigned

Labels

released Indicate that an issue has been resolved and released in a particular version of the product.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@girishpanchal30 @pirate-bot @vytisbulkevicius