From a5aac2011dd4339c7d7b563d6e4f95443dd93e49 Mon Sep 17 00:00:00 2001
From: Jon Surrell <jon.surrell@automattic.com>
Date: Thu, 25 Apr 2019 17:59:10 +0200
Subject: [PATCH] Escape url photon urls

---
 .../blocks/tiled-gallery/tiled-gallery.php    | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/extensions/blocks/tiled-gallery/tiled-gallery.php b/extensions/blocks/tiled-gallery/tiled-gallery.php
index 493131015b0f1..f19319a913e73 100644
--- a/extensions/blocks/tiled-gallery/tiled-gallery.php
+++ b/extensions/blocks/tiled-gallery/tiled-gallery.php
@@ -77,11 +77,13 @@ public static function render( $attr, $content ) {
 						$max_width = min( self::IMG_SRCSET_WIDTH_MAX, $orig_width, $orig_height );
 
 						for ( $w = $min_width; $w <= $max_width; $w = min( $max_width, $w + self::IMG_SRCSET_WIDTH_STEP ) ) {
-							$photonized_src = jetpack_photon_url(
-								$orig_src,
-								array(
-									'resize' => $w . ',' . $w,
-									'strip'  => 'all',
+							$photonized_src = esc_url(
+								jetpack_photon_url(
+									$orig_src,
+									array(
+										'resize' => $w . ',' . $w,
+										'strip'  => 'all',
+									)
 								)
 							);
 							$srcset_parts[] = $photonized_src . ' ' . $w . 'w';
@@ -94,11 +96,13 @@ public static function render( $attr, $content ) {
 						$max_width = min( self::IMG_SRCSET_WIDTH_MAX, $orig_width );
 
 						for ( $w = $min_width; $w <= $max_width; $w = min( $max_width, $w + self::IMG_SRCSET_WIDTH_STEP ) ) {
-							$photonized_src = jetpack_photon_url(
-								$orig_src,
-								array(
-									'strip' => 'all',
-									'w'     => $w,
+							$photonized_src = esc_url(
+								jetpack_photon_url(
+									$orig_src,
+									array(
+										'strip' => 'all',
+										'w'     => $w,
+									)
 								)
 							);
 							$srcset_parts[] = $photonized_src . ' ' . $w . 'w';