From 3f03acc1071756c6c44b2758fcec393177287689 Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Tue, 31 Mar 2026 18:43:01 +0530
Subject: [PATCH 1/2] fix: prevent cross site scripting

---
 inc/tag_replacer.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/tag_replacer.php b/inc/tag_replacer.php
index 78cc5f87..83d97a3c 100644
--- a/inc/tag_replacer.php
+++ b/inc/tag_replacer.php
@@ -504,7 +504,7 @@ public function add_missing_srcset_attributes( $tag, $missing_srcsets, $new_url,
 			$optimized_url = $this->change_url_for_size( $new_url, $width, $height, $dpr );
 
 			if ( $optimized_url ) {
-				$new_srcset_entries[] = $optimized_url . ' ' . $descriptor;
+				$new_srcset_entries[] = esc_url( $optimized_url ) . ' ' . esc_attr( $descriptor );
 
 				// Add sizes attribute entry for responsive breakpoints
 				if ( $breakpoint > 0 ) {

From c5045e2a47965ec5bf7233f784f6ee687290f23f Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Tue, 31 Mar 2026 19:05:28 +0530
Subject: [PATCH 2/2] fix: prevent adding empty srcset entries

---
 inc/tag_replacer.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/inc/tag_replacer.php b/inc/tag_replacer.php
index 83d97a3c..d14bef54 100644
--- a/inc/tag_replacer.php
+++ b/inc/tag_replacer.php
@@ -504,7 +504,11 @@ public function add_missing_srcset_attributes( $tag, $missing_srcsets, $new_url,
 			$optimized_url = $this->change_url_for_size( $new_url, $width, $height, $dpr );
 
 			if ( $optimized_url ) {
-				$new_srcset_entries[] = esc_url( $optimized_url ) . ' ' . esc_attr( $descriptor );
+				$escaped_url = esc_url( $optimized_url );
+				if ( empty( $escaped_url ) ) {
+					continue;
+				}
+				$new_srcset_entries[] = $escaped_url . ' ' . esc_attr( $descriptor );
 
 				// Add sizes attribute entry for responsive breakpoints
 				if ( $breakpoint > 0 ) {