From 183ce040ba3a9a1775b60cb2276a565f29c3e345 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 07:33:06 +0000
Subject: [PATCH 1/3] chore(deps): bump codeinwp/themeisle-sdk from 3.3.50 to
 3.3.51

Bumps [codeinwp/themeisle-sdk](https://github.com/Codeinwp/themeisle-sdk) from 3.3.50 to 3.3.51.
- [Release notes](https://github.com/Codeinwp/themeisle-sdk/releases)
- [Changelog](https://github.com/Codeinwp/themeisle-sdk/blob/v3.3.51/CHANGELOG.md)
- [Commits](https://github.com/Codeinwp/themeisle-sdk/compare/v3.3.50...v3.3.51)

---
updated-dependencies:
- dependency-name: codeinwp/themeisle-sdk
  dependency-version: 3.3.51
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 composer.lock | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/composer.lock b/composer.lock
index f1d7c19c..31e8ab65 100644
--- a/composer.lock
+++ b/composer.lock
@@ -64,21 +64,21 @@
         },
         {
             "name": "codeinwp/themeisle-sdk",
-            "version": "3.3.50",
+            "version": "3.3.51",
             "source": {
                 "type": "git",
                 "url": "https://github.com/Codeinwp/themeisle-sdk.git",
-                "reference": "3c1f8dfc2390e667bbc086c5d660900a7985efa6"
+                "reference": "bb2a8414b0418b18c68c9ff1df3d7fb10467928d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/3c1f8dfc2390e667bbc086c5d660900a7985efa6",
-                "reference": "3c1f8dfc2390e667bbc086c5d660900a7985efa6",
+                "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/bb2a8414b0418b18c68c9ff1df3d7fb10467928d",
+                "reference": "bb2a8414b0418b18c68c9ff1df3d7fb10467928d",
                 "shasum": ""
             },
             "require-dev": {
                 "codeinwp/phpcs-ruleset": "dev-main",
-                "yoast/phpunit-polyfills": "^2.0"
+                "yoast/phpunit-polyfills": "^4.0"
             },
             "type": "library",
             "notification-url": "https://packagist.org/downloads/",
@@ -99,9 +99,9 @@
             ],
             "support": {
                 "issues": "https://github.com/Codeinwp/themeisle-sdk/issues",
-                "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.50"
+                "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.51"
             },
-            "time": "2025-11-25T19:36:35+00:00"
+            "time": "2026-03-30T07:58:49+00:00"
         },
         {
             "name": "enshrined/svg-sanitize",
@@ -2679,5 +2679,5 @@
     "platform-overrides": {
         "php": "7.4"
     },
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }

From 978834e4a4088249f18181ac7b47a475f93aa56c Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Thu, 2 Apr 2026 11:08:43 +0530
Subject: [PATCH 2/3] fix: escape url to prevent xss

---
 inc/manager.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/manager.php b/inc/manager.php
index a8925a90..d3322c3a 100644
--- a/inc/manager.php
+++ b/inc/manager.php
@@ -456,7 +456,7 @@ public function replace_content( $html, $partial = false ) {
 					$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );
 					$js_optimizer = str_replace(
 						[ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],
-						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $this->get_current_url() ],
+						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, esc_url( esc_js( $this->get_current_url() ) ) ],
 						$js_optimizer
 					);
 					$html = str_replace( Optml_Admin::get_optimizer_script( true ), $js_optimizer, $html );

From 537fc2f5b35a072560052b612dce577f14831b2d Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Thu, 2 Apr 2026 11:24:15 +0530
Subject: [PATCH 3/3] fix: escape url generation to enhance security

---
 inc/manager.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/inc/manager.php b/inc/manager.php
index d3322c3a..ffb713c7 100644
--- a/inc/manager.php
+++ b/inc/manager.php
@@ -453,10 +453,11 @@ public function replace_content( $html, $partial = false ) {
 				if ( ! $this->page_profiler->exists_all( $profile_id ) ) {
 					$missing = $this->page_profiler->missing_devices( $profile_id );
 					$time = time();
-					$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );
+					$url  = esc_url( esc_js( $this->get_current_url() ) );
+					$hmac = wp_hash( $profile_id . $time . $url, 'nonce' );
 					$js_optimizer = str_replace(
 						[ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],
-						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, esc_url( esc_js( $this->get_current_url() ) ) ],
+						[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $url ],
 						$js_optimizer
 					);
 					$html = str_replace( Optml_Admin::get_optimizer_script( true ), $js_optimizer, $html );