v6.5.3: Quote escaped in attributes when building HTML.

src/admin-display.cls.php

@@ -278,7 +278,7 @@ public function babel_type($tag, $handle, $src)
 			return $tag;
 		}
 
-		return '<script src="' . $src . '" type="text/babel"></script>';
+		return '<script src="' . Str::trim_quotes($src) . '" type="text/babel"></script>';
 	}
 
 	/**

src/media.cls.php

@@ -87,7 +87,7 @@ public function finalize_head($content)
 		// <link rel="preload" as="image" href="xx">
 		if ($this->_vpi_preload_list) {
 			foreach ($this->_vpi_preload_list as $v) {
-				$content .= '<link rel="preload" as="image" href="' . $v . '">';
+				$content .= '<link rel="preload" as="image" href="' . Str::trim_quotes($v) . '">';
 			}
 		}
 		// 	$featured_image_url = get_the_post_thumbnail_url();
@@ -759,7 +759,7 @@ private function _parse_img()
 						$attrs['width'] = $ori_width;
 						$attrs['height'] = $ori_height;
 						$new_html = preg_replace('#\s+(width|height)=(["\'])[^\2]*?\2#', '', $match[0]);
-						$new_html = preg_replace('#<img\s+#i', '<img width="' . $attrs['width'] . '" height="' . $attrs['height'] . '" ', $new_html);
+						$new_html = preg_replace('#<img\s+#i', '<img width="' . Str::trim_quotes($attrs['width']) . '" height="' . Str::trim_quotes($attrs['height']) . '" ', $new_html);
 						self::debug('Add missing sizes ' . $attrs['width'] . 'x' . $attrs['height'] . ' to ' . $attrs['src']);
 						$this->content = str_replace($match[0], $new_html, $this->content);
 						$match[0] = $new_html;

src/optimize.cls.php

@@ -333,9 +333,9 @@ private function _optimize()
 							// Handle css async load
 							if ($this->cfg_css_async) {
 								$this->html_head .=
-									'<link rel="preload" data-asynced="1" data-optimized="2" as="style" onload="this.onload=null;this.rel=\'stylesheet\'" href="' . $url . '" />'; // todo: How to use " in attr wrapper "
+									'<link rel="preload" data-asynced="1" data-optimized="2" as="style" onload="this.onload=null;this.rel=\'stylesheet\'" href="' . Str::trim_quotes($url) . '" />'; // todo: How to use " in attr wrapper "
 							} else {
-								$this->html_head .= '<link data-optimized="2" rel="stylesheet" href="' . $url . '" />'; // use 2 as combined
+								$this->html_head .= '<link data-optimized="2" rel="stylesheet" href="' . Str::trim_quotes($url) . '" />'; // use 2 as combined
 							}
 
 							// Move all css to top
@@ -513,14 +513,14 @@ private function _optimize()
 	private function _build_js_tag($src)
 	{
 		if ($this->cfg_js_defer === 2 || Utility::str_hit_array($src, $this->cfg_js_delay_inc)) {
-			return '<script data-optimized="1" type="litespeed/javascript" data-src="' . $src . '"></script>';
+			return '<script data-optimized="1" type="litespeed/javascript" data-src="' . Str::trim_quotes($src) . '"></script>';
 		}
 
 		if ($this->cfg_js_defer) {
-			return '<script data-optimized="1" src="' . $src . '" defer></script>';
+			return '<script data-optimized="1" src="' . Str::trim_quotes($src) . '" defer></script>';
 		}
 
-		return '<script data-optimized="1" src="' . $src . '"></script>';
+		return '<script data-optimized="1" src="' . Str::trim_quotes($src) . '"></script>';
 	}
 
 	/**
@@ -601,7 +601,7 @@ private function _async_ggfonts()
 			}
 		}
 
-		$script .= '"' . implode('","', $families) . ($this->_conf_css_font_display ? '&display=swap' : '') . '"';
+		$script .= '"' . Str::trim_quotes(implode('","', $families)) . ($this->_conf_css_font_display ? '&display=swap' : '') . '"';
 
 		$script .= ']}};';
 
@@ -713,7 +713,7 @@ public function dns_prefetch_output()
 	{
 		foreach ($this->dns_prefetch as $v) {
 			if ($v) {
-				$this->html_head .= '<link rel="dns-prefetch" href="' . $v . '" />';
+				$this->html_head .= '<link rel="dns-prefetch" href="' . Str::trim_quotes($v) . '" />';
 			}
 		}
 	}
@@ -728,7 +728,7 @@ public function dns_preconnect_output()
 	{
 		foreach ($this->dns_preconnect as $v) {
 			if ($v) {
-				$this->html_head .= '<link rel="preconnect" href="' . $v . '" />';
+				$this->html_head .= '<link rel="preconnect" href="' . Str::trim_quotes($v) . '" />';
 			}
 		}
 	}

src/placeholder.cls.php

@@ -142,13 +142,13 @@ public function media_row_con($post_id)
 
 					if ($total_files == 0) {
 						echo '<div class="litespeed-media-lqip"><img src="' .
-							File::read($lqip_folder . '/' . $v) .
+							Str::trim_quotes(File::read($lqip_folder . '/' . $v)) .
 							'" alt="' .
 							sprintf(__('LQIP image preview for size %s', 'litespeed-cache'), $v) .
 							'"></div>';
 					}
 
-					echo '<div class="litespeed-media-size"><a href="' . File::read($lqip_folder . '/' . $v) . '" target="_blank">' . $v . '</a></div>';
+					echo '<div class="litespeed-media-size"><a href="' . Str::trim_quotes(File::read($lqip_folder . '/' . $v)) . '" target="_blank">' . $v . '</a></div>';
 
 					$total_files++;
 				}
@@ -174,13 +174,12 @@ public function replace($html, $src, $size)
 		$additional_attr = '';
 		if ($this->_conf_lqip && $this_placeholder != $this->_conf_ph_default) {
 			Debug2::debug2('[LQIP] Use resp LQIP [size] ' . $size);
-			$size = str_replace('"', '', $size);
-			$additional_attr = ' data-placeholder-resp="' . $size . '"';
+			$additional_attr = ' data-placeholder-resp="' . Str::trim_quotes($size) . '"';
 		}
 
 		$snippet = defined('LITESPEED_GUEST_OPTM') || $this->conf(self::O_OPTM_NOSCRIPT_RM) ? '' : '<noscript>' . $html . '</noscript>';
 		$html = str_replace(array(' src=', ' srcset=', ' sizes='), array(' data-src=', ' data-srcset=', ' data-sizes='), $html);
-		$html = str_replace('<img ', '<img data-lazyloaded="1"' . $additional_attr . ' src="' . $this_placeholder . '" ', $html);
+		$html = str_replace('<img ', '<img data-lazyloaded="1"' . $additional_attr . ' src="' . Str::trim_quotes($this_placeholder) . '" ', $html);
 		$snippet = $html . $snippet;
 
 		return $snippet;

src/str.cls.php

@@ -68,4 +68,13 @@ public static function rrand($len, $type = 7)
 
 		return $str;
 	}
+
+	/**
+	 * Trim double quotes from a string to be used as a preformatted src in HTML.
+	 * @since 6.5.3
+	 */
+	public static function trim_quotes($string)
+	{
+		return str_replace('"', '', $string);
+	}
 }

tpl/inc/metabox.php

@@ -13,12 +13,12 @@
 		if (is_array($existing_val)) {
 			$existing_val = implode(PHP_EOL, $existing_val);
 		}
-		echo '<div style="margin-bottom:10px;"><label for="' . $k . '">' . $v . '</label>';
-		echo '<textarea style="width:100%" rows="5" id="' . $k . '" name="' . $k . '">' . $existing_val . '</textarea>';
+		echo '<div style="margin-bottom:10px;"><label for="' . Str::trim_quotes($k) . '">' . $v . '</label>';
+		echo '<textarea style="width:100%" rows="5" id="' . Str::trim_quotes($k) . '" name="' . Str::trim_quotes($k) . '">' . $existing_val . '</textarea>';
 		echo '</div>';
 	} else {
 		echo '<div style="display:flex;margin-bottom:10px;align-items: center;gap: 2ch;justify-content: space-between;"><label for="' . $k . '">' . $v . '</label>';
-		echo '<input class="litespeed-tiny-toggle" id="' . $k . '" name="' . $k . '" type="checkbox" value="1" ' . ($existing_val ? 'checked' : '') . ' />';
+		echo '<input class="litespeed-tiny-toggle" id="' . Str::trim_quotes($k) . '" name="' . Str::trim_quotes($k) . '" type="checkbox" value="1" ' . ($existing_val ? 'checked' : '') . ' />';
 		echo '</div>';
 	}
 }

tpl/toolbox/purge.tpl.php

@@ -155,7 +155,7 @@
 
 	<a 	class="litespeed-panel postbox"
 		href="<?php echo Utility::build_url( $tag, $append_url ) ; ?>"
-		<?php if ( ! empty( $v[ 'cfm' ] ) ) echo 'data-litespeed-cfm="' . $v[ 'cfm' ] . '"' ; ?>
+		<?php if ( ! empty( $v[ 'cfm' ] ) ) echo 'data-litespeed-cfm="' . Str::trim_quotes($v[ 'cfm' ]) . '"' ; ?>
 	>
 		<section class="litespeed-panel-wrapper-icon">
 			<span class="litespeed-panel-icon-<?php echo $v[ 'icon' ] ; ?>"></span>