From 679dcfd9f7ca197004d2f9da0f0183126442f55d Mon Sep 17 00:00:00 2001
From: Bart Jaskulski <bartek.jaskulski@wpdesk.net>
Date: Mon, 20 Sep 2021 11:26:37 +0200
Subject: [PATCH] fix: use appropiate escaping function in url

---
 templates/input-image.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/input-image.php b/templates/input-image.php
index 313e0e6..5111c4c 100644
--- a/templates/input-image.php
+++ b/templates/input-image.php
@@ -13,15 +13,15 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 			id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
 	<div class="custom-img-container">
 		<?php if ( $value ) : ?>
-            <img src="<?php echo \esc_html( $value ) ?>" alt="" width="100"/>
+            <img src="<?php echo \esc_url( $value ) ?>" alt="" width="100"/>
 		<?php endif; ?>
     </div>
     <p class="hide-if-no-js">
-        <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_html( $value ) ?>">
-			<?php _e( 'Set image', 'wp-forms' ) ?>
+        <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_url( $value ) ?>">
+			<?php \esc_html_e( 'Set image', 'wp-forms' ) ?>
         </a>
         <a class="delete-custom-img <?php if ( ! $value ): ?>hidden<?php endif ?>" href="#">
-			<?php _e( 'Remove image', 'wp-forms' ) ?>
+			<?php \esc_html_e( 'Remove image', 'wp-forms' ) ?>
         </a>
     </p>
 </div>
-- 
GitLab