From dafd74e617a92bc9f1fb2f6a7fc773624b9ee601 Mon Sep 17 00:00:00 2001
From: "Alexander \"Axel\" Huxel" <alex.huxel@coding-pioneers.com>
Date: Thu, 11 Jun 2026 08:32:15 +0200
Subject: [PATCH 1/3] fix(security): patch DOM-based XSS in bundled
 Featherlight (CVE-2024-5667)

Harden the Featherlight content filters so attacker-controlled attribute
values (href, data-featherlight) can no longer execute script:

- image: assign the URL via .attr('src', url) instead of concatenating it
  into markup, preventing attribute breakout
- jquery: resolve via $(document).find(elem) so strings are treated as
  selectors, never parsed as HTML
- html: sanitize parsed markup, stripping inline event handlers,
  javascript: URLs and <script> tags

Applied to all served files (vendor sources + packed bundles). Bumps
version to 1.3.5 (also busts the script enqueue cache).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 CHANGELOG.md                  |  6 ++++++
 includes/class-plugin.php     |  2 +-
 js/vendor/featherlight.js     | 23 ++++++++++++++++++++---
 js/vendor/featherlight.min.js |  2 +-
 js/wpFeatherlight.pkgd.js     | 23 ++++++++++++++++++++---
 js/wpFeatherlight.pkgd.min.js |  2 +-
 readme.txt                    |  9 +++++++--
 wp-featherlight.php           |  2 +-
 8 files changed, 57 insertions(+), 12 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ed8873..96d0a87 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.3.5
+This is a security release.
+
+Here's a full list of what's changed since the last release:
+- Security: Fixed an authenticated (Contributor+) stored DOM-based XSS in the bundled Featherlight library (CVE-2024-5667). Image URLs are now assigned as attribute values instead of being concatenated into markup, the jQuery selector filter no longer parses input as HTML, and HTML lightbox content is sanitized to strip inline event handlers, `javascript:` URLs and `<script>` tags.
+
 ## 1.3.4
 This is a maintenance release.
 
diff --git a/includes/class-plugin.php b/includes/class-plugin.php
index 174f6f5..0f69031 100644
--- a/includes/class-plugin.php
+++ b/includes/class-plugin.php
@@ -23,7 +23,7 @@ class WP_Featherlight {
 	 * @since 0.3.0
 	 * @var   string
 	 */
-	const VERSION = '1.3.4';
+	const VERSION = '1.3.5';
 
 	/**
 	 * Property for storing a reference to the main plugin file.
diff --git a/js/vendor/featherlight.js b/js/vendor/featherlight.js
index e4e093d..c214f0e 100644
--- a/js/vendor/featherlight.js
+++ b/js/vendor/featherlight.js
@@ -362,7 +362,7 @@
 			jquery: {
 				regex: /^[#.]\w/,         /* Anything that starts with a class name or identifiers */
 				test: function(elem)    { return elem instanceof $ && elem; },
-				process: function(elem) { return this.persist !== false ? $(elem) : $(elem).clone(true); }
+				process: function(elem) { var $elem = $(document).find(elem); return this.persist !== false ? $elem : $elem.clone(true); }
 			},
 			image: {
 				regex: /\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,
@@ -370,7 +370,7 @@
 					var self = this,
 						deferred = $.Deferred(),
 						img = new Image(),
-						$img = $('<img src="'+url+'" alt="" class="'+self.namespace+'-image" />');
+						$img = $('<img alt="" class="'+self.namespace+'-image" />').attr( 'src', url );
 					img.onload  = function() {
 						/* Store naturalWidth & height for IE8 */
 						$img.naturalWidth = img.width; $img.naturalHeight = img.height;
@@ -383,7 +383,24 @@
 			},
 			html: {
 				regex: /^\s*<[\w!][^<]*>/, /* Anything that starts with some kind of valid tag */
-				process: function(html) { return $(html); }
+				process: function(html) {
+				/* Sanitize untrusted markup: drop <script>, inline event handlers and javascript: URLs to prevent DOM XSS (CVE-2024-5667). */
+				var $html = $($.parseHTML('' + html, document, false));
+				$html.find('*').addBack().each(function() {
+					if (!this.attributes) {
+						return;
+					}
+					for (var i = this.attributes.length - 1; i >= 0; i--) {
+						var attrName  = this.attributes[i].name,
+							lowerName = attrName.toLowerCase(),
+							value     = ('' + this.attributes[i].value).replace(/[\s ]+/g, '').toLowerCase();
+						if (0 === lowerName.indexOf('on') || (('href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName) && 0 === value.indexOf('javascript:'))) {
+							this.removeAttribute(attrName);
+						}
+					}
+				});
+				return $html;
+			}
 			},
 			ajax: {
 				regex: /./,            /* At this point, any content is assumed to be an URL */
diff --git a/js/vendor/featherlight.min.js b/js/vendor/featherlight.min.js
index 26e4e37..a95d283 100644
--- a/js/vendor/featherlight.min.js
+++ b/js/vendor/featherlight.min.js
@@ -1 +1 @@
-!function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var r=[],i=function(t){return r=u.grep(r,function(e){return e!==t&&0<e.$instance.closest("body").length})},o={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},a=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,a)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),r=n.resetCss?n.namespace+"-reset":n.namespace,i=u(n.background||['<div class="'+r+"-loading "+r+'">','<div class="'+r+'-content">','<button class="'+r+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),o="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=i.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(o).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},r=n(t.targetAttr),i=t.target||r||"",o=e[t.type];if(!o&&i in e&&(o=e[i],i=t.target&&r),i=i||n("href")||"",!o)for(var a in e)t[a]&&(o=e[a],i=t[a]);if(!o){var s=i;if(i=null,u.each(t.contentFilters,function(){return(o=e[this]).test&&(i=o.test(s)),!i&&o.regex&&s.match&&s.match(o.regex)&&(i=s),!i}),!i)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return o.process.call(t,i)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return r.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===i(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){return!1!==this.persist?u(e):u(e).clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,r=u('<img src="'+e+'" alt="" class="'+this.namespace+'-image" />');return n.onload=function(){r.naturalWidth=n.width,r.naturalHeight=n.height,t.resolve(r)},n.onerror=function(){t.reject(r)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){return u(e)}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),r=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(r.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),r=function(e,t){var n={},r=new RegExp("^"+t+"([A-Z])(.*)");for(var i in e){var o=i.match(r);o&&(n[(o[1]+o[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[i])}return n}(this,"iframe"),i=function(e,t){var n={};for(var r in e)r in t&&(n[r]=e[r],delete e[r]);return n}(r,o);return n.hide().attr("src",e).attr(i).css(r).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var r=this,i=new RegExp("^data-"+t+"-(.*)"),o={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(i);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,r.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}o[n]=t}}),o},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(i,o,a){var s=this;"object"!=typeof o||o instanceof u!=!1||a||(a=o,o=void 0);var c,e=(a=u.extend({},a)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(i[0],e),a),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:i,$currentTarget:t},s.readElementConfig(i[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),a),r=c||t.data("featherlight-persisted")||new s(o,n);"shared"===r.persist?c=r:!1!==r.persist&&t.data("featherlight-persisted",r),n.$currentTarget.blur&&n.$currentTarget.blur(),r.open(e)};return i.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return i(),u.grep(r,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var r=this;if(r.autoBind){var i=u(r.autoBind);i.each(function(){r.attach(u(this))}),u(document).on("click",r.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(i.length!==(i=i.add(t)).length){var n=r.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),r=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",r._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery);
\ No newline at end of file
+!function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var r=[],i=function(t){return r=u.grep(r,function(e){return e!==t&&0<e.$instance.closest("body").length})},o={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},a=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,a)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),r=n.resetCss?n.namespace+"-reset":n.namespace,i=u(n.background||['<div class="'+r+"-loading "+r+'">','<div class="'+r+'-content">','<button class="'+r+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),o="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=i.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(o).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},r=n(t.targetAttr),i=t.target||r||"",o=e[t.type];if(!o&&i in e&&(o=e[i],i=t.target&&r),i=i||n("href")||"",!o)for(var a in e)t[a]&&(o=e[a],i=t[a]);if(!o){var s=i;if(i=null,u.each(t.contentFilters,function(){return(o=e[this]).test&&(i=o.test(s)),!i&&o.regex&&s.match&&s.match(o.regex)&&(i=s),!i}),!i)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return o.process.call(t,i)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return r.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===i(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){var t=u(document).find(e);return!1!==this.persist?t:t.clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,r=u('<img alt="" class="'+this.namespace+'-image" />').attr("src",e);return n.onload=function(){r.naturalWidth=n.width,r.naturalHeight=n.height,t.resolve(r)},n.onerror=function(){t.reject(r)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){var t=u(u.parseHTML(""+e,document,!1));return t.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,i=n.toLowerCase(),r=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===i.indexOf("on")||("href"===i||"src"===i||"xlink:href"===i)&&0===r.indexOf("javascript:"))&&this.removeAttribute(n)}}),t}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),r=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(r.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),r=function(e,t){var n={},r=new RegExp("^"+t+"([A-Z])(.*)");for(var i in e){var o=i.match(r);o&&(n[(o[1]+o[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[i])}return n}(this,"iframe"),i=function(e,t){var n={};for(var r in e)r in t&&(n[r]=e[r],delete e[r]);return n}(r,o);return n.hide().attr("src",e).attr(i).css(r).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var r=this,i=new RegExp("^data-"+t+"-(.*)"),o={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(i);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,r.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}o[n]=t}}),o},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(i,o,a){var s=this;"object"!=typeof o||o instanceof u!=!1||a||(a=o,o=void 0);var c,e=(a=u.extend({},a)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(i[0],e),a),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:i,$currentTarget:t},s.readElementConfig(i[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),a),r=c||t.data("featherlight-persisted")||new s(o,n);"shared"===r.persist?c=r:!1!==r.persist&&t.data("featherlight-persisted",r),n.$currentTarget.blur&&n.$currentTarget.blur(),r.open(e)};return i.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return i(),u.grep(r,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var r=this;if(r.autoBind){var i=u(r.autoBind);i.each(function(){r.attach(u(this))}),u(document).on("click",r.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(i.length!==(i=i.add(t)).length){var n=r.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),r=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",r._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery);
\ No newline at end of file
diff --git a/js/wpFeatherlight.pkgd.js b/js/wpFeatherlight.pkgd.js
index 41c14b4..0442645 100644
--- a/js/wpFeatherlight.pkgd.js
+++ b/js/wpFeatherlight.pkgd.js
@@ -448,7 +448,7 @@
 			jquery: {
 				regex: /^[#.]\w/,         /* Anything that starts with a class name or identifiers */
 				test: function(elem)    { return elem instanceof $ && elem; },
-				process: function(elem) { return this.persist !== false ? $(elem) : $(elem).clone(true); }
+				process: function(elem) { var $elem = $(document).find(elem); return this.persist !== false ? $elem : $elem.clone(true); }
 			},
 			image: {
 				regex: /\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,
@@ -456,7 +456,7 @@
 					var self = this,
 						deferred = $.Deferred(),
 						img = new Image(),
-						$img = $('<img src="'+url+'" alt="" class="'+self.namespace+'-image" />');
+						$img = $('<img alt="" class="'+self.namespace+'-image" />').attr( 'src', url );
 					img.onload  = function() {
 						/* Store naturalWidth & height for IE8 */
 						$img.naturalWidth = img.width; $img.naturalHeight = img.height;
@@ -469,7 +469,24 @@
 			},
 			html: {
 				regex: /^\s*<[\w!][^<]*>/, /* Anything that starts with some kind of valid tag */
-				process: function(html) { return $(html); }
+				process: function(html) {
+					/* Sanitize untrusted markup: drop <script>, inline event handlers and javascript: URLs to prevent DOM XSS (CVE-2024-5667). */
+					var $html = $($.parseHTML('' + html, document, false));
+					$html.find('*').addBack().each(function() {
+						if (!this.attributes) {
+							return;
+						}
+						for (var i = this.attributes.length - 1; i >= 0; i--) {
+							var attrName  = this.attributes[i].name,
+								lowerName = attrName.toLowerCase(),
+								value     = ('' + this.attributes[i].value).replace(/[\s ]+/g, '').toLowerCase();
+							if (0 === lowerName.indexOf('on') || (('href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName) && 0 === value.indexOf('javascript:'))) {
+								this.removeAttribute(attrName);
+							}
+						}
+					});
+					return $html;
+				}
 			},
 			ajax: {
 				regex: /./,            /* At this point, any content is assumed to be an URL */
diff --git a/js/wpFeatherlight.pkgd.min.js b/js/wpFeatherlight.pkgd.min.js
index 7500e2b..4ec026e 100644
--- a/js/wpFeatherlight.pkgd.min.js
+++ b/js/wpFeatherlight.pkgd.min.js
@@ -1 +1 @@
-!function(e){"function"==typeof define&&define.amd?define(["jquery"],e):"object"==typeof exports?module.exports=e(require("jquery")):e(jQuery)}(function(s){var c,l,u=!(s.detectSwipe={version:"2.1.2",enabled:"ontouchstart"in document.documentElement,preventDefault:!0,threshold:20});function f(){this.removeEventListener("touchmove",t),this.removeEventListener("touchend",f),u=!1}function t(e){if(s.detectSwipe.preventDefault&&e.preventDefault(),u){var t,n=e.touches[0].pageX,i=e.touches[0].pageY,r=c-n,a=l-i,o=window.devicePixelRatio||1;Math.abs(r)*o>=s.detectSwipe.threshold?t=0<r?"left":"right":Math.abs(a)*o>=s.detectSwipe.threshold&&(t=0<a?"up":"down"),t&&(f.call(this),s(this).trigger("swipe",t).trigger("swipe"+t))}}function e(e){1==e.touches.length&&(c=e.touches[0].pageX,l=e.touches[0].pageY,u=!0,this.addEventListener("touchmove",t,!1),this.addEventListener("touchend",f,!1))}s.event.special.swipe={setup:function(){this.addEventListener&&this.addEventListener("touchstart",e,!1)}},s.each(["left","up","down","right"],function(){s.event.special["swipe"+this]={setup:function(){s(this).on("swipe",s.noop)}}})}),function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var i=[],r=function(t){return i=u.grep(i,function(e){return e!==t&&0<e.$instance.closest("body").length})},a={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},o=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,o)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),i=n.resetCss?n.namespace+"-reset":n.namespace,r=u(n.background||['<div class="'+i+"-loading "+i+'">','<div class="'+i+'-content">','<button class="'+i+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),a="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=r.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(a).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},i=n(t.targetAttr),r=t.target||i||"",a=e[t.type];if(!a&&r in e&&(a=e[r],r=t.target&&i),r=r||n("href")||"",!a)for(var o in e)t[o]&&(a=e[o],r=t[o]);if(!a){var s=r;if(r=null,u.each(t.contentFilters,function(){return(a=e[this]).test&&(r=a.test(s)),!r&&a.regex&&s.match&&s.match(a.regex)&&(r=s),!r}),!r)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return a.process.call(t,r)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return i.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===r(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){return!1!==this.persist?u(e):u(e).clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,i=u('<img src="'+e+'" alt="" class="'+this.namespace+'-image" />');return n.onload=function(){i.naturalWidth=n.width,i.naturalHeight=n.height,t.resolve(i)},n.onerror=function(){t.reject(i)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){return u(e)}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),i=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(i.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),i=function(e,t){var n={},i=new RegExp("^"+t+"([A-Z])(.*)");for(var r in e){var a=r.match(i);a&&(n[(a[1]+a[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[r])}return n}(this,"iframe"),r=function(e,t){var n={};for(var i in e)i in t&&(n[i]=e[i],delete e[i]);return n}(i,a);return n.hide().attr("src",e).attr(r).css(i).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var i=this,r=new RegExp("^data-"+t+"-(.*)"),a={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(r);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,i.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}a[n]=t}}),a},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(r,a,o){var s=this;"object"!=typeof a||a instanceof u!=!1||o||(o=a,a=void 0);var c,e=(o=u.extend({},o)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(r[0],e),o),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:r,$currentTarget:t},s.readElementConfig(r[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),o),i=c||t.data("featherlight-persisted")||new s(a,n);"shared"===i.persist?c=i:!1!==i.persist&&t.data("featherlight-persisted",i),n.$currentTarget.blur&&n.$currentTarget.blur(),i.open(e)};return r.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return r(),u.grep(i,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var i=this;if(i.autoBind){var r=u(i.autoBind);r.each(function(){i.attach(u(this))}),u(document).on("click",i.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(r.length!==(r=r.add(t)).length){var n=i.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),i=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",i._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery),function(a){"use strict";var e=function(e){window.console&&window.console.warn&&window.console.warn("FeatherlightGallery: "+e)};if(void 0===a)return e("Too much lightness, Featherlight needs jQuery.");if(!a.featherlight)return e("Load the featherlight plugin before the gallery plugin");var t="ontouchstart"in window||window.DocumentTouch&&document instanceof DocumentTouch,n=a.event&&a.event.special.swipeleft&&a,i=window.Hammer&&function(e){var t=new window.Hammer.Manager(e[0]);return t.add(new window.Hammer.Swipe),t},r=t&&(n||i);t&&!r&&e("No compatible swipe library detected; one must be included before featherlightGallery for swipe motions to navigate the galleries.");var o={afterClose:function(e,t){var n=this;return n.$instance.off("next."+n.namespace+" previous."+n.namespace),n._swiper&&(n._swiper.off("swipeleft",n._swipeleft).off("swiperight",n._swiperight),n._swiper=null),e(t)},beforeOpen:function(e,t){var n=this;return n.$instance.on("next."+n.namespace+" previous."+n.namespace,function(e){var t="next"===e.type?1:-1;n.navigateTo(n.currentNavigation()+t)}),r&&(n._swiper=r(n.$instance).on("swipeleft",n._swipeleft=function(){n.$instance.trigger("next")}).on("swiperight",n._swiperight=function(){n.$instance.trigger("previous")}),n.$instance.addClass(this.namespace+"-swipe-aware",r)),n.$instance.find("."+n.namespace+"-content").append(n.createNavigation("previous")).append(n.createNavigation("next")),e(t)},beforeContent:function(e,t){var n=this.currentNavigation(),i=this.slides().length;return this.$instance.toggleClass(this.namespace+"-first-slide",0===n).toggleClass(this.namespace+"-last-slide",n===i-1),e(t)},onKeyUp:function(e,t){var n={37:"previous",39:"next"}[t.keyCode];return n?(this.$instance.trigger(n),!1):e(t)}};function s(e,t){if(!(this instanceof s)){var n=new s(a.extend({$source:e,$currentTarget:e.first()},t));return n.open(),n}a.featherlight.apply(this,arguments),this.chainCallbacks(o)}a.featherlight.extend(s,{autoBind:"[data-featherlight-gallery]"}),a.extend(s.prototype,{previousIcon:"&#9664;",nextIcon:"&#9654;",galleryFadeIn:100,galleryFadeOut:300,slides:function(){return this.filter?this.$source.find(this.filter):this.$source},images:function(){return e("images is deprecated, please use slides instead"),this.slides()},currentNavigation:function(){return this.slides().index(this.$currentTarget)},navigateTo:function(e){var t=this,n=t.slides(),i=n.length,r=t.$instance.find("."+t.namespace+"-inner");return e=(e%i+i)%i,t.$currentTarget=n.eq(e),t.beforeContent(),a.when(t.getContent(),r.fadeTo(t.galleryFadeOut,.2)).always(function(e){t.setContent(e),t.afterContent(),e.fadeTo(t.galleryFadeIn,1)})},createNavigation:function(t){var n=this;return a('<span title="'+t+'" class="'+this.namespace+"-"+t+'"><span>'+this[t+"Icon"]+"</span></span>").click(function(e){a(this).trigger(t+"."+n.namespace),e.preventDefault()})}}),a.featherlightGallery=s,a.fn.featherlightGallery=function(e){return s.attach(this,e),this},a(document).ready(function(){s._onReady()})}(jQuery),function(e,i,t){"use strict";var n=i(document.body);function r(e,t){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(i(t).attr("href").toLowerCase().split("?")[0].split("#")[0])}function a(e,t){var n=i(t).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function o(){var e;i.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(e=n.find('[class*="gallery"]')).length&&i.each(e,a),n.hasClass("wp-featherlight-captions")&&(i.featherlight.prototype.afterContent=function(){var e=this.$instance,t=function(e){var t=e.parent().find(".wp-caption-text");if(0!==t.length)return t;var n=e.parent().find("figcaption");if(0!==n.length)return n;var i=e.parents(".gallery-item");if(0!==i.length)return i.find(".wp-caption-text");var r=e.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var a=e.parents(".tiled-gallery-item");return 0!==a.length?a.find(".tiled-gallery-caption"):""}(this.$currentTarget);e.find(".caption").remove(),0!==t.length&&(i('<div class="caption">').appendTo(e.find(".featherlight-content"))[0].innerHTML=t.html())})}i(document).ready(function(){o()})}(0,jQuery);
\ No newline at end of file
+!function(e){"function"==typeof define&&define.amd?define(["jquery"],e):"object"==typeof exports?module.exports=e(require("jquery")):e(jQuery)}(function(s){var c,l,u=!(s.detectSwipe={version:"2.1.2",enabled:"ontouchstart"in document.documentElement,preventDefault:!0,threshold:20});function f(){this.removeEventListener("touchmove",t),this.removeEventListener("touchend",f),u=!1}function t(e){if(s.detectSwipe.preventDefault&&e.preventDefault(),u){var t,n=e.touches[0].pageX,i=e.touches[0].pageY,r=c-n,a=l-i,o=window.devicePixelRatio||1;Math.abs(r)*o>=s.detectSwipe.threshold?t=0<r?"left":"right":Math.abs(a)*o>=s.detectSwipe.threshold&&(t=0<a?"up":"down"),t&&(f.call(this),s(this).trigger("swipe",t).trigger("swipe"+t))}}function e(e){1==e.touches.length&&(c=e.touches[0].pageX,l=e.touches[0].pageY,u=!0,this.addEventListener("touchmove",t,!1),this.addEventListener("touchend",f,!1))}s.event.special.swipe={setup:function(){this.addEventListener&&this.addEventListener("touchstart",e,!1)}},s.each(["left","up","down","right"],function(){s.event.special["swipe"+this]={setup:function(){s(this).on("swipe",s.noop)}}})}),function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var i=[],r=function(t){return i=u.grep(i,function(e){return e!==t&&0<e.$instance.closest("body").length})},a={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},o=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,o)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),i=n.resetCss?n.namespace+"-reset":n.namespace,r=u(n.background||['<div class="'+i+"-loading "+i+'">','<div class="'+i+'-content">','<button class="'+i+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),a="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=r.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(a).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},i=n(t.targetAttr),r=t.target||i||"",a=e[t.type];if(!a&&r in e&&(a=e[r],r=t.target&&i),r=r||n("href")||"",!a)for(var o in e)t[o]&&(a=e[o],r=t[o]);if(!a){var s=r;if(r=null,u.each(t.contentFilters,function(){return(a=e[this]).test&&(r=a.test(s)),!r&&a.regex&&s.match&&s.match(a.regex)&&(r=s),!r}),!r)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return a.process.call(t,r)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return i.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===r(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){var t=u(document).find(e);return!1!==this.persist?t:t.clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,i=u('<img alt="" class="'+this.namespace+'-image" />').attr("src",e);return n.onload=function(){i.naturalWidth=n.width,i.naturalHeight=n.height,t.resolve(i)},n.onerror=function(){t.reject(i)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){var t=u(u.parseHTML(""+e,document,!1));return t.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,i=n.toLowerCase(),r=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===i.indexOf("on")||("href"===i||"src"===i||"xlink:href"===i)&&0===r.indexOf("javascript:"))&&this.removeAttribute(n)}}),t}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),i=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(i.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),i=function(e,t){var n={},i=new RegExp("^"+t+"([A-Z])(.*)");for(var r in e){var a=r.match(i);a&&(n[(a[1]+a[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[r])}return n}(this,"iframe"),r=function(e,t){var n={};for(var i in e)i in t&&(n[i]=e[i],delete e[i]);return n}(i,a);return n.hide().attr("src",e).attr(r).css(i).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var i=this,r=new RegExp("^data-"+t+"-(.*)"),a={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(r);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,i.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}a[n]=t}}),a},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(r,a,o){var s=this;"object"!=typeof a||a instanceof u!=!1||o||(o=a,a=void 0);var c,e=(o=u.extend({},o)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(r[0],e),o),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:r,$currentTarget:t},s.readElementConfig(r[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),o),i=c||t.data("featherlight-persisted")||new s(a,n);"shared"===i.persist?c=i:!1!==i.persist&&t.data("featherlight-persisted",i),n.$currentTarget.blur&&n.$currentTarget.blur(),i.open(e)};return r.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return r(),u.grep(i,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var i=this;if(i.autoBind){var r=u(i.autoBind);r.each(function(){i.attach(u(this))}),u(document).on("click",i.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(r.length!==(r=r.add(t)).length){var n=i.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),i=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",i._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery),function(a){"use strict";var e=function(e){window.console&&window.console.warn&&window.console.warn("FeatherlightGallery: "+e)};if(void 0===a)return e("Too much lightness, Featherlight needs jQuery.");if(!a.featherlight)return e("Load the featherlight plugin before the gallery plugin");var t="ontouchstart"in window||window.DocumentTouch&&document instanceof DocumentTouch,n=a.event&&a.event.special.swipeleft&&a,i=window.Hammer&&function(e){var t=new window.Hammer.Manager(e[0]);return t.add(new window.Hammer.Swipe),t},r=t&&(n||i);t&&!r&&e("No compatible swipe library detected; one must be included before featherlightGallery for swipe motions to navigate the galleries.");var o={afterClose:function(e,t){var n=this;return n.$instance.off("next."+n.namespace+" previous."+n.namespace),n._swiper&&(n._swiper.off("swipeleft",n._swipeleft).off("swiperight",n._swiperight),n._swiper=null),e(t)},beforeOpen:function(e,t){var n=this;return n.$instance.on("next."+n.namespace+" previous."+n.namespace,function(e){var t="next"===e.type?1:-1;n.navigateTo(n.currentNavigation()+t)}),r&&(n._swiper=r(n.$instance).on("swipeleft",n._swipeleft=function(){n.$instance.trigger("next")}).on("swiperight",n._swiperight=function(){n.$instance.trigger("previous")}),n.$instance.addClass(this.namespace+"-swipe-aware",r)),n.$instance.find("."+n.namespace+"-content").append(n.createNavigation("previous")).append(n.createNavigation("next")),e(t)},beforeContent:function(e,t){var n=this.currentNavigation(),i=this.slides().length;return this.$instance.toggleClass(this.namespace+"-first-slide",0===n).toggleClass(this.namespace+"-last-slide",n===i-1),e(t)},onKeyUp:function(e,t){var n={37:"previous",39:"next"}[t.keyCode];return n?(this.$instance.trigger(n),!1):e(t)}};function s(e,t){if(!(this instanceof s)){var n=new s(a.extend({$source:e,$currentTarget:e.first()},t));return n.open(),n}a.featherlight.apply(this,arguments),this.chainCallbacks(o)}a.featherlight.extend(s,{autoBind:"[data-featherlight-gallery]"}),a.extend(s.prototype,{previousIcon:"&#9664;",nextIcon:"&#9654;",galleryFadeIn:100,galleryFadeOut:300,slides:function(){return this.filter?this.$source.find(this.filter):this.$source},images:function(){return e("images is deprecated, please use slides instead"),this.slides()},currentNavigation:function(){return this.slides().index(this.$currentTarget)},navigateTo:function(e){var t=this,n=t.slides(),i=n.length,r=t.$instance.find("."+t.namespace+"-inner");return e=(e%i+i)%i,t.$currentTarget=n.eq(e),t.beforeContent(),a.when(t.getContent(),r.fadeTo(t.galleryFadeOut,.2)).always(function(e){t.setContent(e),t.afterContent(),e.fadeTo(t.galleryFadeIn,1)})},createNavigation:function(t){var n=this;return a('<span title="'+t+'" class="'+this.namespace+"-"+t+'"><span>'+this[t+"Icon"]+"</span></span>").click(function(e){a(this).trigger(t+"."+n.namespace),e.preventDefault()})}}),a.featherlightGallery=s,a.fn.featherlightGallery=function(e){return s.attach(this,e),this},a(document).ready(function(){s._onReady()})}(jQuery),function(e,i,t){"use strict";var n=i(document.body);function r(e,t){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(i(t).attr("href").toLowerCase().split("?")[0].split("#")[0])}function a(e,t){var n=i(t).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function o(){var e;i.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(e=n.find('[class*="gallery"]')).length&&i.each(e,a),n.hasClass("wp-featherlight-captions")&&(i.featherlight.prototype.afterContent=function(){var e=this.$instance,t=function(e){var t=e.parent().find(".wp-caption-text");if(0!==t.length)return t;var n=e.parent().find("figcaption");if(0!==n.length)return n;var i=e.parents(".gallery-item");if(0!==i.length)return i.find(".wp-caption-text");var r=e.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var a=e.parents(".tiled-gallery-item");return 0!==a.length?a.find(".tiled-gallery-caption"):""}(this.$currentTarget);e.find(".caption").remove(),0!==t.length&&(i('<div class="caption">').appendTo(e.find(".featherlight-content"))[0].innerHTML=t.html())})}i(document).ready(function(){o()})}(0,jQuery);
\ No newline at end of file
diff --git a/readme.txt b/readme.txt
index 64e1fef..d5e2a48 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,8 +4,8 @@ Contributors: fatmedia, cipherdevgroup, ozzyr
 Tags: lightbox, jquery lightbox, jquery, gallery, image, lightbox images, image lightbox, lightbox gallery, lightbox image, lightbox popup, featherlight, photo gallery, popup image, popup images, popup lightbox, responsive lightbox, swipe, wordpress image lightbox, wordpress lightbox, wordpress slideshow lightbox, photography, images, minimal, responsive, photo, photos  
 Requires at least: 4.0  
 Tested up to: 5.5.0  
-Stable tag: 1.3.4  
-License: GPL-2.0+  
+Stable tag: 1.3.5
+License: GPL-2.0+
 
 An ultra lightweight jQuery lightbox for WordPress images and galleries.
 
@@ -37,6 +37,11 @@ If you'd like to submit code patches or contribute in any other way, please [for
 
 == Changelog ==
 
+= 1.3.5 =
+This is a security release.
+
+- Security: Fixed an authenticated (Contributor+) stored DOM-based XSS in the bundled Featherlight library (CVE-2024-5667).
+
 = 1.3.3 =
 This is primarily a maintenance release, but one tweak was made.
 
diff --git a/wp-featherlight.php b/wp-featherlight.php
index c4b77bb..d23b6cb 100644
--- a/wp-featherlight.php
+++ b/wp-featherlight.php
@@ -3,7 +3,7 @@
  * Plugin Name:  WP Featherlight
  * Plugin URI:   https://wpfeatherlight.cipherdevelopment.com
  * Description:  An ultra lightweight jQuery lightbox for WordPress images and galleries.
- * Version:      1.3.4
+ * Version:      1.3.5
  * Author:       Cipher
  * Author URI:   https://cipherdevelopment.com
  * License:      GPL-2.0+

From 449e2058d86c533b48ae3e73daec8d04f5869c3c Mon Sep 17 00:00:00 2001
From: "Alexander \"Axel\" Huxel" <alex.huxel@coding-pioneers.com>
Date: Thu, 11 Jun 2026 09:07:39 +0200
Subject: [PATCH 2/3] fix(security): sanitize lightbox captions to close second
 DOM-XSS sink

addCaptions() assigned caption markup via innerHTML (caption.html()),
which executes inline event handlers (e.g. <img onerror>) and other
script when a caption contains raw HTML. Parse the caption with
$.parseHTML (keepScripts=false) and strip on* handlers and javascript:
URLs before appending, matching the html content-filter hardening.

Applied to the source (assets/plugin/js) and all built/minified bundles.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 CHANGELOG.md                       |  1 +
 assets/plugin/js/wpFeatherlight.js | 17 ++++++++++++++++-
 js/wpFeatherlight.js               | 17 ++++++++++++++++-
 js/wpFeatherlight.min.js           |  2 +-
 js/wpFeatherlight.pkgd.js          | 17 ++++++++++++++++-
 js/wpFeatherlight.pkgd.min.js      |  2 +-
 6 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96d0a87..17f3595 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ This is a security release.
 
 Here's a full list of what's changed since the last release:
 - Security: Fixed an authenticated (Contributor+) stored DOM-based XSS in the bundled Featherlight library (CVE-2024-5667). Image URLs are now assigned as attribute values instead of being concatenated into markup, the jQuery selector filter no longer parses input as HTML, and HTML lightbox content is sanitized to strip inline event handlers, `javascript:` URLs and `<script>` tags.
+- Security: Hardened the caption feature (`addCaptions`) so caption markup is sanitized before insertion instead of being assigned via `innerHTML`, closing a second DOM-XSS sink reachable by users able to store raw caption HTML.
 
 ## 1.3.4
 This is a maintenance release.
diff --git a/assets/plugin/js/wpFeatherlight.js b/assets/plugin/js/wpFeatherlight.js
index 62a9a2a..8d74a01 100644
--- a/assets/plugin/js/wpFeatherlight.js
+++ b/assets/plugin/js/wpFeatherlight.js
@@ -121,7 +121,22 @@
 
 			if ( 0 !== caption.length ) {
 				var $captionElm = $( '<div class="caption">' ).appendTo( object.find( '.featherlight-content' ) );
-				$captionElm[0].innerHTML = caption.html();
+				/* Sanitize caption markup before insertion: drop inline event handlers, javascript: URLs and <script> to prevent DOM XSS (CVE-2024-5667). */
+			var $captionHtml = $( $.parseHTML( '' + caption.html(), document, false ) );
+			$captionHtml.find( '*' ).addBack().each( function() {
+				if ( ! this.attributes ) {
+					return;
+				}
+				for ( var i = this.attributes.length - 1; i >= 0; i-- ) {
+					var attrName  = this.attributes[ i ].name,
+						lowerName = attrName.toLowerCase(),
+						value     = ( '' + this.attributes[ i ].value ).replace( /[\s ]+/g, '' ).toLowerCase();
+					if ( 0 === lowerName.indexOf( 'on' ) || ( ( 'href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName ) && 0 === value.indexOf( 'javascript:' ) ) ) {
+						this.removeAttribute( attrName );
+					}
+				}
+			});
+			$captionElm.append( $captionHtml );
 			}
 		};
 	}
diff --git a/js/wpFeatherlight.js b/js/wpFeatherlight.js
index 62a9a2a..8d74a01 100644
--- a/js/wpFeatherlight.js
+++ b/js/wpFeatherlight.js
@@ -121,7 +121,22 @@
 
 			if ( 0 !== caption.length ) {
 				var $captionElm = $( '<div class="caption">' ).appendTo( object.find( '.featherlight-content' ) );
-				$captionElm[0].innerHTML = caption.html();
+				/* Sanitize caption markup before insertion: drop inline event handlers, javascript: URLs and <script> to prevent DOM XSS (CVE-2024-5667). */
+			var $captionHtml = $( $.parseHTML( '' + caption.html(), document, false ) );
+			$captionHtml.find( '*' ).addBack().each( function() {
+				if ( ! this.attributes ) {
+					return;
+				}
+				for ( var i = this.attributes.length - 1; i >= 0; i-- ) {
+					var attrName  = this.attributes[ i ].name,
+						lowerName = attrName.toLowerCase(),
+						value     = ( '' + this.attributes[ i ].value ).replace( /[\s ]+/g, '' ).toLowerCase();
+					if ( 0 === lowerName.indexOf( 'on' ) || ( ( 'href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName ) && 0 === value.indexOf( 'javascript:' ) ) ) {
+						this.removeAttribute( attrName );
+					}
+				}
+			});
+			$captionElm.append( $captionHtml );
 			}
 		};
 	}
diff --git a/js/wpFeatherlight.min.js b/js/wpFeatherlight.min.js
index 5e304ce..b87e889 100644
--- a/js/wpFeatherlight.min.js
+++ b/js/wpFeatherlight.min.js
@@ -1 +1 @@
-!function(t,a,e){"use strict";var n=a(document.body);function r(t,e){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(a(e).attr("href").toLowerCase().split("?")[0].split("#")[0])}function i(t,e){var n=a(e).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function f(){var t;a.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(t=n.find('[class*="gallery"]')).length&&a.each(t,i),n.hasClass("wp-featherlight-captions")&&(a.featherlight.prototype.afterContent=function(){var t=this.$instance,e=function(t){var e=t.parent().find(".wp-caption-text");if(0!==e.length)return e;var n=t.parent().find("figcaption");if(0!==n.length)return n;var a=t.parents(".gallery-item");if(0!==a.length)return a.find(".wp-caption-text");var r=t.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var i=t.parents(".tiled-gallery-item");return 0!==i.length?i.find(".tiled-gallery-caption"):""}(this.$currentTarget);t.find(".caption").remove(),0!==e.length&&(a('<div class="caption">').appendTo(t.find(".featherlight-content"))[0].innerHTML=e.html())})}a(document).ready(function(){f()})}(0,jQuery);
\ No newline at end of file
+!function(t,a,e){"use strict";var n=a(document.body);function r(t,e){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(a(e).attr("href").toLowerCase().split("?")[0].split("#")[0])}function i(t,e){var n=a(e).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function f(){var t;a.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(t=n.find('[class*="gallery"]')).length&&a.each(t,i),n.hasClass("wp-featherlight-captions")&&(a.featherlight.prototype.afterContent=function(){var t=this.$instance,e=function(t){var e=t.parent().find(".wp-caption-text");if(0!==e.length)return e;var n=t.parent().find("figcaption");if(0!==n.length)return n;var a=t.parents(".gallery-item");if(0!==a.length)return a.find(".wp-caption-text");var r=t.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var i=t.parents(".tiled-gallery-item");return 0!==i.length?i.find(".tiled-gallery-caption"):""}(this.$currentTarget);t.find(".caption").remove(),0!==e.length&&a('<div class="caption">').appendTo(t.find(".featherlight-content")).append(function(s){var o=a(a.parseHTML(""+s,document,!1));return o.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,r=n.toLowerCase(),i=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===r.indexOf("on")||("href"===r||"src"===r||"xlink:href"===r)&&0===i.indexOf("javascript:"))&&this.removeAttribute(n)}}),o}(e.html()))})}a(document).ready(function(){f()})}(0,jQuery);
\ No newline at end of file
diff --git a/js/wpFeatherlight.pkgd.js b/js/wpFeatherlight.pkgd.js
index 0442645..f053a7a 100644
--- a/js/wpFeatherlight.pkgd.js
+++ b/js/wpFeatherlight.pkgd.js
@@ -1036,7 +1036,22 @@
 
 			if ( 0 !== caption.length ) {
 				var $captionElm = $( '<div class="caption">' ).appendTo( object.find( '.featherlight-content' ) );
-				$captionElm[0].innerHTML = caption.html();
+				/* Sanitize caption markup before insertion: drop inline event handlers, javascript: URLs and <script> to prevent DOM XSS (CVE-2024-5667). */
+				var $captionHtml = $( $.parseHTML( '' + caption.html(), document, false ) );
+				$captionHtml.find( '*' ).addBack().each( function() {
+					if ( ! this.attributes ) {
+						return;
+					}
+					for ( var i = this.attributes.length - 1; i >= 0; i-- ) {
+						var attrName  = this.attributes[ i ].name,
+							lowerName = attrName.toLowerCase(),
+							value     = ( '' + this.attributes[ i ].value ).replace( /[\s ]+/g, '' ).toLowerCase();
+						if ( 0 === lowerName.indexOf( 'on' ) || ( ( 'href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName ) && 0 === value.indexOf( 'javascript:' ) ) ) {
+							this.removeAttribute( attrName );
+						}
+					}
+				});
+				$captionElm.append( $captionHtml );
 			}
 		};
 	}
diff --git a/js/wpFeatherlight.pkgd.min.js b/js/wpFeatherlight.pkgd.min.js
index 4ec026e..d8427df 100644
--- a/js/wpFeatherlight.pkgd.min.js
+++ b/js/wpFeatherlight.pkgd.min.js
@@ -1 +1 @@
-!function(e){"function"==typeof define&&define.amd?define(["jquery"],e):"object"==typeof exports?module.exports=e(require("jquery")):e(jQuery)}(function(s){var c,l,u=!(s.detectSwipe={version:"2.1.2",enabled:"ontouchstart"in document.documentElement,preventDefault:!0,threshold:20});function f(){this.removeEventListener("touchmove",t),this.removeEventListener("touchend",f),u=!1}function t(e){if(s.detectSwipe.preventDefault&&e.preventDefault(),u){var t,n=e.touches[0].pageX,i=e.touches[0].pageY,r=c-n,a=l-i,o=window.devicePixelRatio||1;Math.abs(r)*o>=s.detectSwipe.threshold?t=0<r?"left":"right":Math.abs(a)*o>=s.detectSwipe.threshold&&(t=0<a?"up":"down"),t&&(f.call(this),s(this).trigger("swipe",t).trigger("swipe"+t))}}function e(e){1==e.touches.length&&(c=e.touches[0].pageX,l=e.touches[0].pageY,u=!0,this.addEventListener("touchmove",t,!1),this.addEventListener("touchend",f,!1))}s.event.special.swipe={setup:function(){this.addEventListener&&this.addEventListener("touchstart",e,!1)}},s.each(["left","up","down","right"],function(){s.event.special["swipe"+this]={setup:function(){s(this).on("swipe",s.noop)}}})}),function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var i=[],r=function(t){return i=u.grep(i,function(e){return e!==t&&0<e.$instance.closest("body").length})},a={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},o=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,o)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),i=n.resetCss?n.namespace+"-reset":n.namespace,r=u(n.background||['<div class="'+i+"-loading "+i+'">','<div class="'+i+'-content">','<button class="'+i+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),a="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=r.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(a).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},i=n(t.targetAttr),r=t.target||i||"",a=e[t.type];if(!a&&r in e&&(a=e[r],r=t.target&&i),r=r||n("href")||"",!a)for(var o in e)t[o]&&(a=e[o],r=t[o]);if(!a){var s=r;if(r=null,u.each(t.contentFilters,function(){return(a=e[this]).test&&(r=a.test(s)),!r&&a.regex&&s.match&&s.match(a.regex)&&(r=s),!r}),!r)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return a.process.call(t,r)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return i.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===r(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){var t=u(document).find(e);return!1!==this.persist?t:t.clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,i=u('<img alt="" class="'+this.namespace+'-image" />').attr("src",e);return n.onload=function(){i.naturalWidth=n.width,i.naturalHeight=n.height,t.resolve(i)},n.onerror=function(){t.reject(i)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){var t=u(u.parseHTML(""+e,document,!1));return t.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,i=n.toLowerCase(),r=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===i.indexOf("on")||("href"===i||"src"===i||"xlink:href"===i)&&0===r.indexOf("javascript:"))&&this.removeAttribute(n)}}),t}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),i=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(i.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),i=function(e,t){var n={},i=new RegExp("^"+t+"([A-Z])(.*)");for(var r in e){var a=r.match(i);a&&(n[(a[1]+a[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[r])}return n}(this,"iframe"),r=function(e,t){var n={};for(var i in e)i in t&&(n[i]=e[i],delete e[i]);return n}(i,a);return n.hide().attr("src",e).attr(r).css(i).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var i=this,r=new RegExp("^data-"+t+"-(.*)"),a={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(r);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,i.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}a[n]=t}}),a},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(r,a,o){var s=this;"object"!=typeof a||a instanceof u!=!1||o||(o=a,a=void 0);var c,e=(o=u.extend({},o)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(r[0],e),o),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:r,$currentTarget:t},s.readElementConfig(r[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),o),i=c||t.data("featherlight-persisted")||new s(a,n);"shared"===i.persist?c=i:!1!==i.persist&&t.data("featherlight-persisted",i),n.$currentTarget.blur&&n.$currentTarget.blur(),i.open(e)};return r.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return r(),u.grep(i,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var i=this;if(i.autoBind){var r=u(i.autoBind);r.each(function(){i.attach(u(this))}),u(document).on("click",i.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(r.length!==(r=r.add(t)).length){var n=i.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),i=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",i._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery),function(a){"use strict";var e=function(e){window.console&&window.console.warn&&window.console.warn("FeatherlightGallery: "+e)};if(void 0===a)return e("Too much lightness, Featherlight needs jQuery.");if(!a.featherlight)return e("Load the featherlight plugin before the gallery plugin");var t="ontouchstart"in window||window.DocumentTouch&&document instanceof DocumentTouch,n=a.event&&a.event.special.swipeleft&&a,i=window.Hammer&&function(e){var t=new window.Hammer.Manager(e[0]);return t.add(new window.Hammer.Swipe),t},r=t&&(n||i);t&&!r&&e("No compatible swipe library detected; one must be included before featherlightGallery for swipe motions to navigate the galleries.");var o={afterClose:function(e,t){var n=this;return n.$instance.off("next."+n.namespace+" previous."+n.namespace),n._swiper&&(n._swiper.off("swipeleft",n._swipeleft).off("swiperight",n._swiperight),n._swiper=null),e(t)},beforeOpen:function(e,t){var n=this;return n.$instance.on("next."+n.namespace+" previous."+n.namespace,function(e){var t="next"===e.type?1:-1;n.navigateTo(n.currentNavigation()+t)}),r&&(n._swiper=r(n.$instance).on("swipeleft",n._swipeleft=function(){n.$instance.trigger("next")}).on("swiperight",n._swiperight=function(){n.$instance.trigger("previous")}),n.$instance.addClass(this.namespace+"-swipe-aware",r)),n.$instance.find("."+n.namespace+"-content").append(n.createNavigation("previous")).append(n.createNavigation("next")),e(t)},beforeContent:function(e,t){var n=this.currentNavigation(),i=this.slides().length;return this.$instance.toggleClass(this.namespace+"-first-slide",0===n).toggleClass(this.namespace+"-last-slide",n===i-1),e(t)},onKeyUp:function(e,t){var n={37:"previous",39:"next"}[t.keyCode];return n?(this.$instance.trigger(n),!1):e(t)}};function s(e,t){if(!(this instanceof s)){var n=new s(a.extend({$source:e,$currentTarget:e.first()},t));return n.open(),n}a.featherlight.apply(this,arguments),this.chainCallbacks(o)}a.featherlight.extend(s,{autoBind:"[data-featherlight-gallery]"}),a.extend(s.prototype,{previousIcon:"&#9664;",nextIcon:"&#9654;",galleryFadeIn:100,galleryFadeOut:300,slides:function(){return this.filter?this.$source.find(this.filter):this.$source},images:function(){return e("images is deprecated, please use slides instead"),this.slides()},currentNavigation:function(){return this.slides().index(this.$currentTarget)},navigateTo:function(e){var t=this,n=t.slides(),i=n.length,r=t.$instance.find("."+t.namespace+"-inner");return e=(e%i+i)%i,t.$currentTarget=n.eq(e),t.beforeContent(),a.when(t.getContent(),r.fadeTo(t.galleryFadeOut,.2)).always(function(e){t.setContent(e),t.afterContent(),e.fadeTo(t.galleryFadeIn,1)})},createNavigation:function(t){var n=this;return a('<span title="'+t+'" class="'+this.namespace+"-"+t+'"><span>'+this[t+"Icon"]+"</span></span>").click(function(e){a(this).trigger(t+"."+n.namespace),e.preventDefault()})}}),a.featherlightGallery=s,a.fn.featherlightGallery=function(e){return s.attach(this,e),this},a(document).ready(function(){s._onReady()})}(jQuery),function(e,i,t){"use strict";var n=i(document.body);function r(e,t){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(i(t).attr("href").toLowerCase().split("?")[0].split("#")[0])}function a(e,t){var n=i(t).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function o(){var e;i.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(e=n.find('[class*="gallery"]')).length&&i.each(e,a),n.hasClass("wp-featherlight-captions")&&(i.featherlight.prototype.afterContent=function(){var e=this.$instance,t=function(e){var t=e.parent().find(".wp-caption-text");if(0!==t.length)return t;var n=e.parent().find("figcaption");if(0!==n.length)return n;var i=e.parents(".gallery-item");if(0!==i.length)return i.find(".wp-caption-text");var r=e.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var a=e.parents(".tiled-gallery-item");return 0!==a.length?a.find(".tiled-gallery-caption"):""}(this.$currentTarget);e.find(".caption").remove(),0!==t.length&&(i('<div class="caption">').appendTo(e.find(".featherlight-content"))[0].innerHTML=t.html())})}i(document).ready(function(){o()})}(0,jQuery);
\ No newline at end of file
+!function(e){"function"==typeof define&&define.amd?define(["jquery"],e):"object"==typeof exports?module.exports=e(require("jquery")):e(jQuery)}(function(s){var c,l,u=!(s.detectSwipe={version:"2.1.2",enabled:"ontouchstart"in document.documentElement,preventDefault:!0,threshold:20});function f(){this.removeEventListener("touchmove",t),this.removeEventListener("touchend",f),u=!1}function t(e){if(s.detectSwipe.preventDefault&&e.preventDefault(),u){var t,n=e.touches[0].pageX,i=e.touches[0].pageY,r=c-n,a=l-i,o=window.devicePixelRatio||1;Math.abs(r)*o>=s.detectSwipe.threshold?t=0<r?"left":"right":Math.abs(a)*o>=s.detectSwipe.threshold&&(t=0<a?"up":"down"),t&&(f.call(this),s(this).trigger("swipe",t).trigger("swipe"+t))}}function e(e){1==e.touches.length&&(c=e.touches[0].pageX,l=e.touches[0].pageY,u=!0,this.addEventListener("touchmove",t,!1),this.addEventListener("touchend",f,!1))}s.event.special.swipe={setup:function(){this.addEventListener&&this.addEventListener("touchstart",e,!1)}},s.each(["left","up","down","right"],function(){s.event.special["swipe"+this]={setup:function(){s(this).on("swipe",s.noop)}}})}),function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var i=[],r=function(t){return i=u.grep(i,function(e){return e!==t&&0<e.$instance.closest("body").length})},a={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},o=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,o)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),i=n.resetCss?n.namespace+"-reset":n.namespace,r=u(n.background||['<div class="'+i+"-loading "+i+'">','<div class="'+i+'-content">','<button class="'+i+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),a="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=r.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(a).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},i=n(t.targetAttr),r=t.target||i||"",a=e[t.type];if(!a&&r in e&&(a=e[r],r=t.target&&i),r=r||n("href")||"",!a)for(var o in e)t[o]&&(a=e[o],r=t[o]);if(!a){var s=r;if(r=null,u.each(t.contentFilters,function(){return(a=e[this]).test&&(r=a.test(s)),!r&&a.regex&&s.match&&s.match(a.regex)&&(r=s),!r}),!r)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return a.process.call(t,r)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return i.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===r(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){var t=u(document).find(e);return!1!==this.persist?t:t.clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,i=u('<img alt="" class="'+this.namespace+'-image" />').attr("src",e);return n.onload=function(){i.naturalWidth=n.width,i.naturalHeight=n.height,t.resolve(i)},n.onerror=function(){t.reject(i)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){var t=u(u.parseHTML(""+e,document,!1));return t.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,i=n.toLowerCase(),r=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===i.indexOf("on")||("href"===i||"src"===i||"xlink:href"===i)&&0===r.indexOf("javascript:"))&&this.removeAttribute(n)}}),t}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),i=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(i.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),i=function(e,t){var n={},i=new RegExp("^"+t+"([A-Z])(.*)");for(var r in e){var a=r.match(i);a&&(n[(a[1]+a[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[r])}return n}(this,"iframe"),r=function(e,t){var n={};for(var i in e)i in t&&(n[i]=e[i],delete e[i]);return n}(i,a);return n.hide().attr("src",e).attr(r).css(i).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var i=this,r=new RegExp("^data-"+t+"-(.*)"),a={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(r);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,i.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}a[n]=t}}),a},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(r,a,o){var s=this;"object"!=typeof a||a instanceof u!=!1||o||(o=a,a=void 0);var c,e=(o=u.extend({},o)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(r[0],e),o),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:r,$currentTarget:t},s.readElementConfig(r[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),o),i=c||t.data("featherlight-persisted")||new s(a,n);"shared"===i.persist?c=i:!1!==i.persist&&t.data("featherlight-persisted",i),n.$currentTarget.blur&&n.$currentTarget.blur(),i.open(e)};return r.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return r(),u.grep(i,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var i=this;if(i.autoBind){var r=u(i.autoBind);r.each(function(){i.attach(u(this))}),u(document).on("click",i.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(r.length!==(r=r.add(t)).length){var n=i.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),i=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",i._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery),function(a){"use strict";var e=function(e){window.console&&window.console.warn&&window.console.warn("FeatherlightGallery: "+e)};if(void 0===a)return e("Too much lightness, Featherlight needs jQuery.");if(!a.featherlight)return e("Load the featherlight plugin before the gallery plugin");var t="ontouchstart"in window||window.DocumentTouch&&document instanceof DocumentTouch,n=a.event&&a.event.special.swipeleft&&a,i=window.Hammer&&function(e){var t=new window.Hammer.Manager(e[0]);return t.add(new window.Hammer.Swipe),t},r=t&&(n||i);t&&!r&&e("No compatible swipe library detected; one must be included before featherlightGallery for swipe motions to navigate the galleries.");var o={afterClose:function(e,t){var n=this;return n.$instance.off("next."+n.namespace+" previous."+n.namespace),n._swiper&&(n._swiper.off("swipeleft",n._swipeleft).off("swiperight",n._swiperight),n._swiper=null),e(t)},beforeOpen:function(e,t){var n=this;return n.$instance.on("next."+n.namespace+" previous."+n.namespace,function(e){var t="next"===e.type?1:-1;n.navigateTo(n.currentNavigation()+t)}),r&&(n._swiper=r(n.$instance).on("swipeleft",n._swipeleft=function(){n.$instance.trigger("next")}).on("swiperight",n._swiperight=function(){n.$instance.trigger("previous")}),n.$instance.addClass(this.namespace+"-swipe-aware",r)),n.$instance.find("."+n.namespace+"-content").append(n.createNavigation("previous")).append(n.createNavigation("next")),e(t)},beforeContent:function(e,t){var n=this.currentNavigation(),i=this.slides().length;return this.$instance.toggleClass(this.namespace+"-first-slide",0===n).toggleClass(this.namespace+"-last-slide",n===i-1),e(t)},onKeyUp:function(e,t){var n={37:"previous",39:"next"}[t.keyCode];return n?(this.$instance.trigger(n),!1):e(t)}};function s(e,t){if(!(this instanceof s)){var n=new s(a.extend({$source:e,$currentTarget:e.first()},t));return n.open(),n}a.featherlight.apply(this,arguments),this.chainCallbacks(o)}a.featherlight.extend(s,{autoBind:"[data-featherlight-gallery]"}),a.extend(s.prototype,{previousIcon:"&#9664;",nextIcon:"&#9654;",galleryFadeIn:100,galleryFadeOut:300,slides:function(){return this.filter?this.$source.find(this.filter):this.$source},images:function(){return e("images is deprecated, please use slides instead"),this.slides()},currentNavigation:function(){return this.slides().index(this.$currentTarget)},navigateTo:function(e){var t=this,n=t.slides(),i=n.length,r=t.$instance.find("."+t.namespace+"-inner");return e=(e%i+i)%i,t.$currentTarget=n.eq(e),t.beforeContent(),a.when(t.getContent(),r.fadeTo(t.galleryFadeOut,.2)).always(function(e){t.setContent(e),t.afterContent(),e.fadeTo(t.galleryFadeIn,1)})},createNavigation:function(t){var n=this;return a('<span title="'+t+'" class="'+this.namespace+"-"+t+'"><span>'+this[t+"Icon"]+"</span></span>").click(function(e){a(this).trigger(t+"."+n.namespace),e.preventDefault()})}}),a.featherlightGallery=s,a.fn.featherlightGallery=function(e){return s.attach(this,e),this},a(document).ready(function(){s._onReady()})}(jQuery),function(e,i,t){"use strict";var n=i(document.body);function r(e,t){return/(.png|.jpg|.jpeg|.gif|.tiff|.bmp)$/.test(i(t).attr("href").toLowerCase().split("?")[0].split("#")[0])}function a(e,t){var n=i(t).find("a[data-featherlight]");n.attr("data-featherlight")&&n.featherlightGallery({previousIcon:"",nextIcon:""})}function o(){var e;i.featherlight.defaults.closeIcon="",n.find("a[href]").filter(r).attr("data-featherlight","image"),0!==(e=n.find('[class*="gallery"]')).length&&i.each(e,a),n.hasClass("wp-featherlight-captions")&&(i.featherlight.prototype.afterContent=function(){var e=this.$instance,t=function(e){var t=e.parent().find(".wp-caption-text");if(0!==t.length)return t;var n=e.parent().find("figcaption");if(0!==n.length)return n;var i=e.parents(".gallery-item");if(0!==i.length)return i.find(".wp-caption-text");var r=e.parents(".blocks-gallery-item");if(0!==r.length)return r.find("figcaption");var a=e.parents(".tiled-gallery-item");return 0!==a.length?a.find(".tiled-gallery-caption"):""}(this.$currentTarget);e.find(".caption").remove(),0!==t.length&&i('<div class="caption">').appendTo(e.find(".featherlight-content")).append(function(s){var o=i(i.parseHTML(""+s,document,!1));return o.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,r=n.toLowerCase(),a=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===r.indexOf("on")||("href"===r||"src"===r||"xlink:href"===r)&&0===a.indexOf("javascript:"))&&this.removeAttribute(n)}}),o}(t.html()))})}i(document).ready(function(){o()})}(0,jQuery);
\ No newline at end of file

From 555ce7f645c0aaef3720ae75fb14ed1d02a0d30c Mon Sep 17 00:00:00 2001
From: "Alexander \"Axel\" Huxel" <alex.huxel@coding-pioneers.com>
Date: Thu, 11 Jun 2026 09:15:58 +0200
Subject: [PATCH 3/3] build: revert vendor/featherlight sources, keep fix in
 shipped bundles

The CVE-2024-5667 content-filter hardening is retained in the packed
bundles (wpFeatherlight.pkgd[.min].js) that WordPress actually enqueues
by default. The standalone js/vendor/featherlight[.min].js copies are
restored to upstream to keep the third-party library unmodified.

Note: in SCRIPT_DEBUG/unpacked mode the unmodified vendor file loads, so
that mode is not hardened; and a grunt rebuild regenerates the bundles
from vendor and would drop the fix. Patch the dependency to make it
durable.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 js/vendor/featherlight.js     | 23 +++--------------------
 js/vendor/featherlight.min.js |  2 +-
 2 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/js/vendor/featherlight.js b/js/vendor/featherlight.js
index c214f0e..e4e093d 100644
--- a/js/vendor/featherlight.js
+++ b/js/vendor/featherlight.js
@@ -362,7 +362,7 @@
 			jquery: {
 				regex: /^[#.]\w/,         /* Anything that starts with a class name or identifiers */
 				test: function(elem)    { return elem instanceof $ && elem; },
-				process: function(elem) { var $elem = $(document).find(elem); return this.persist !== false ? $elem : $elem.clone(true); }
+				process: function(elem) { return this.persist !== false ? $(elem) : $(elem).clone(true); }
 			},
 			image: {
 				regex: /\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,
@@ -370,7 +370,7 @@
 					var self = this,
 						deferred = $.Deferred(),
 						img = new Image(),
-						$img = $('<img alt="" class="'+self.namespace+'-image" />').attr( 'src', url );
+						$img = $('<img src="'+url+'" alt="" class="'+self.namespace+'-image" />');
 					img.onload  = function() {
 						/* Store naturalWidth & height for IE8 */
 						$img.naturalWidth = img.width; $img.naturalHeight = img.height;
@@ -383,24 +383,7 @@
 			},
 			html: {
 				regex: /^\s*<[\w!][^<]*>/, /* Anything that starts with some kind of valid tag */
-				process: function(html) {
-				/* Sanitize untrusted markup: drop <script>, inline event handlers and javascript: URLs to prevent DOM XSS (CVE-2024-5667). */
-				var $html = $($.parseHTML('' + html, document, false));
-				$html.find('*').addBack().each(function() {
-					if (!this.attributes) {
-						return;
-					}
-					for (var i = this.attributes.length - 1; i >= 0; i--) {
-						var attrName  = this.attributes[i].name,
-							lowerName = attrName.toLowerCase(),
-							value     = ('' + this.attributes[i].value).replace(/[\s ]+/g, '').toLowerCase();
-						if (0 === lowerName.indexOf('on') || (('href' === lowerName || 'src' === lowerName || 'xlink:href' === lowerName) && 0 === value.indexOf('javascript:'))) {
-							this.removeAttribute(attrName);
-						}
-					}
-				});
-				return $html;
-			}
+				process: function(html) { return $(html); }
 			},
 			ajax: {
 				regex: /./,            /* At this point, any content is assumed to be an URL */
diff --git a/js/vendor/featherlight.min.js b/js/vendor/featherlight.min.js
index a95d283..26e4e37 100644
--- a/js/vendor/featherlight.min.js
+++ b/js/vendor/featherlight.min.js
@@ -1 +1 @@
-!function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var r=[],i=function(t){return r=u.grep(r,function(e){return e!==t&&0<e.$instance.closest("body").length})},o={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},a=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,a)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),r=n.resetCss?n.namespace+"-reset":n.namespace,i=u(n.background||['<div class="'+r+"-loading "+r+'">','<div class="'+r+'-content">','<button class="'+r+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),o="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=i.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(o).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},r=n(t.targetAttr),i=t.target||r||"",o=e[t.type];if(!o&&i in e&&(o=e[i],i=t.target&&r),i=i||n("href")||"",!o)for(var a in e)t[a]&&(o=e[a],i=t[a]);if(!o){var s=i;if(i=null,u.each(t.contentFilters,function(){return(o=e[this]).test&&(i=o.test(s)),!i&&o.regex&&s.match&&s.match(o.regex)&&(i=s),!i}),!i)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return o.process.call(t,i)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return r.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===i(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){var t=u(document).find(e);return!1!==this.persist?t:t.clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,r=u('<img alt="" class="'+this.namespace+'-image" />').attr("src",e);return n.onload=function(){r.naturalWidth=n.width,r.naturalHeight=n.height,t.resolve(r)},n.onerror=function(){t.reject(r)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){var t=u(u.parseHTML(""+e,document,!1));return t.find("*").addBack().each(function(){var e=this.attributes;if(e)for(var t=e.length-1;t>=0;t--){var n=e[t].name,i=n.toLowerCase(),r=(""+e[t].value).replace(/[\s ]+/g,"").toLowerCase();(0===i.indexOf("on")||("href"===i||"src"===i||"xlink:href"===i)&&0===r.indexOf("javascript:"))&&this.removeAttribute(n)}}),t}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),r=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(r.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),r=function(e,t){var n={},r=new RegExp("^"+t+"([A-Z])(.*)");for(var i in e){var o=i.match(r);o&&(n[(o[1]+o[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[i])}return n}(this,"iframe"),i=function(e,t){var n={};for(var r in e)r in t&&(n[r]=e[r],delete e[r]);return n}(r,o);return n.hide().attr("src",e).attr(i).css(r).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var r=this,i=new RegExp("^data-"+t+"-(.*)"),o={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(i);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,r.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}o[n]=t}}),o},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(i,o,a){var s=this;"object"!=typeof o||o instanceof u!=!1||a||(a=o,o=void 0);var c,e=(a=u.extend({},a)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(i[0],e),a),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:i,$currentTarget:t},s.readElementConfig(i[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),a),r=c||t.data("featherlight-persisted")||new s(o,n);"shared"===r.persist?c=r:!1!==r.persist&&t.data("featherlight-persisted",r),n.$currentTarget.blur&&n.$currentTarget.blur(),r.open(e)};return i.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return i(),u.grep(r,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var r=this;if(r.autoBind){var i=u(r.autoBind);i.each(function(){r.attach(u(this))}),u(document).on("click",r.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(i.length!==(i=i.add(t)).length){var n=r.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),r=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",r._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery);
\ No newline at end of file
+!function(u){"use strict";if(void 0!==u)if(u.fn.jquery.match(/-ajax/))"console"in window&&window.console.info("Featherlight needs regular jQuery, not the slim version.");else{var r=[],i=function(t){return r=u.grep(r,function(e){return e!==t&&0<e.$instance.closest("body").length})},o={allow:1,allowfullscreen:1,frameborder:1,height:1,longdesc:1,marginheight:1,marginwidth:1,mozallowfullscreen:1,name:1,referrerpolicy:1,sandbox:1,scrolling:1,src:1,srcdoc:1,style:1,webkitallowfullscreen:1,width:1},n={keyup:"onKeyUp",resize:"onResize"},a=function(e){u.each(c.opened().reverse(),function(){if(!e.isDefaultPrevented()&&!1===this[n[e.type]](e))return e.preventDefault(),e.stopPropagation(),!1})},s=function(e){if(e!==c._globalHandlerInstalled){c._globalHandlerInstalled=e;var t=u.map(n,function(e,t){return t+"."+c.prototype.namespace}).join(" ");u(window)[e?"on":"off"](t,a)}};c.prototype={constructor:c,namespace:"featherlight",targetAttr:"data-featherlight",variant:null,resetCss:!1,background:null,openTrigger:"click",closeTrigger:"click",filter:null,root:"body",openSpeed:250,closeSpeed:250,closeOnClick:"background",closeOnEsc:!0,closeIcon:"&#10005;",loading:"",persist:!1,otherClose:null,beforeOpen:u.noop,beforeContent:u.noop,beforeClose:u.noop,afterOpen:u.noop,afterContent:u.noop,afterClose:u.noop,onKeyUp:u.noop,onResize:u.noop,type:null,contentFilters:["jquery","image","html","ajax","iframe","text"],setup:function(e,t){"object"!=typeof e||e instanceof u!=!1||t||(t=e,e=void 0);var n=u.extend(this,t,{target:e}),r=n.resetCss?n.namespace+"-reset":n.namespace,i=u(n.background||['<div class="'+r+"-loading "+r+'">','<div class="'+r+'-content">','<button class="'+r+"-close-icon "+n.namespace+'-close" aria-label="Close">',n.closeIcon,"</button>",'<div class="'+n.namespace+'-inner">'+n.loading+"</div>","</div>","</div>"].join("")),o="."+n.namespace+"-close"+(n.otherClose?","+n.otherClose:"");return n.$instance=i.clone().addClass(n.variant),n.$instance.on(n.closeTrigger+"."+n.namespace,function(e){if(!e.isDefaultPrevented()){var t=u(e.target);("background"===n.closeOnClick&&t.is("."+n.namespace)||"anywhere"===n.closeOnClick||t.closest(o).length)&&(n.close(e),e.preventDefault())}}),this},getContent:function(){if(!1!==this.persist&&this.$content)return this.$content;var t=this,e=this.constructor.contentFilters,n=function(e){return t.$currentTarget&&t.$currentTarget.attr(e)},r=n(t.targetAttr),i=t.target||r||"",o=e[t.type];if(!o&&i in e&&(o=e[i],i=t.target&&r),i=i||n("href")||"",!o)for(var a in e)t[a]&&(o=e[a],i=t[a]);if(!o){var s=i;if(i=null,u.each(t.contentFilters,function(){return(o=e[this]).test&&(i=o.test(s)),!i&&o.regex&&s.match&&s.match(o.regex)&&(i=s),!i}),!i)return"console"in window&&window.console.error("Featherlight: no content filter found "+(s?' for "'+s+'"':" (no target specified)")),!1}return o.process.call(t,i)},setContent:function(e){return this.$instance.removeClass(this.namespace+"-loading"),this.$instance.toggleClass(this.namespace+"-iframe",e.is("iframe")),this.$instance.find("."+this.namespace+"-inner").not(e).slice(1).remove().end().replaceWith(u.contains(this.$instance[0],e[0])?"":e),this.$content=e.addClass(this.namespace+"-inner"),this},open:function(t){var n=this;if(n.$instance.hide().appendTo(n.root),!(t&&t.isDefaultPrevented()||!1===n.beforeOpen(t))){t&&t.preventDefault();var e=n.getContent();if(e)return r.push(n),s(!0),n.$instance.fadeIn(n.openSpeed),n.beforeContent(t),u.when(e).always(function(e){n.setContent(e),n.afterContent(t)}).then(n.$instance.promise()).done(function(){n.afterOpen(t)})}return n.$instance.detach(),u.Deferred().reject().promise()},close:function(e){var t=this,n=u.Deferred();return!1===t.beforeClose(e)?n.reject():(0===i(t).length&&s(!1),t.$instance.fadeOut(t.closeSpeed,function(){t.$instance.detach(),t.afterClose(e),n.resolve()})),n.promise()},resize:function(e,t){if(e&&t){this.$content.css("width","").css("height","");var n=Math.max(e/(this.$content.parent().width()-1),t/(this.$content.parent().height()-1));1<n&&(n=t/Math.floor(t/n),this.$content.css("width",e/n+"px").css("height",t/n+"px"))}},chainCallbacks:function(e){for(var t in e)this[t]=u.proxy(e[t],this,u.proxy(this[t],this))}},u.extend(c,{id:0,autoBind:"[data-featherlight]",defaults:c.prototype,contentFilters:{jquery:{regex:/^[#.]\w/,test:function(e){return e instanceof u&&e},process:function(e){return!1!==this.persist?u(e):u(e).clone(!0)}},image:{regex:/\.(png|jpg|jpeg|gif|tiff?|bmp|svg)(\?\S*)?$/i,process:function(e){var t=u.Deferred(),n=new Image,r=u('<img src="'+e+'" alt="" class="'+this.namespace+'-image" />');return n.onload=function(){r.naturalWidth=n.width,r.naturalHeight=n.height,t.resolve(r)},n.onerror=function(){t.reject(r)},n.src=e,t.promise()}},html:{regex:/^\s*<[\w!][^<]*>/,process:function(e){return u(e)}},ajax:{regex:/./,process:function(e){var n=u.Deferred(),r=u("<div></div>").load(e,function(e,t){"error"!==t&&n.resolve(r.contents()),n.fail()});return n.promise()}},iframe:{process:function(e){var t=new u.Deferred,n=u("<iframe/>"),r=function(e,t){var n={},r=new RegExp("^"+t+"([A-Z])(.*)");for(var i in e){var o=i.match(r);o&&(n[(o[1]+o[2].replace(/([A-Z])/g,"-$1")).toLowerCase()]=e[i])}return n}(this,"iframe"),i=function(e,t){var n={};for(var r in e)r in t&&(n[r]=e[r],delete e[r]);return n}(r,o);return n.hide().attr("src",e).attr(i).css(r).on("load",function(){t.resolve(n.show())}).appendTo(this.$instance.find("."+this.namespace+"-content")),t.promise()}},text:{process:function(e){return u("<div>",{text:e})}}},functionAttributes:["beforeOpen","afterOpen","beforeContent","afterContent","beforeClose","afterClose"],readElementConfig:function(e,t){var r=this,i=new RegExp("^data-"+t+"-(.*)"),o={};return e&&e.attributes&&u.each(e.attributes,function(){var e=this.name.match(i);if(e){var t=this.value,n=u.camelCase(e[1]);if(0<=u.inArray(n,r.functionAttributes))t=new Function(t);else try{t=JSON.parse(t)}catch(e){}o[n]=t}}),o},extend:function(e,t){var n=function(){this.constructor=e};return n.prototype=this.prototype,e.prototype=new n,e.__super__=this.prototype,u.extend(e,this,t),e.defaults=e.prototype,e},attach:function(i,o,a){var s=this;"object"!=typeof o||o instanceof u!=!1||a||(a=o,o=void 0);var c,e=(a=u.extend({},a)).namespace||s.defaults.namespace,l=u.extend({},s.defaults,s.readElementConfig(i[0],e),a),t=function(e){var t=u(e.currentTarget),n=u.extend({$source:i,$currentTarget:t},s.readElementConfig(i[0],l.namespace),s.readElementConfig(e.currentTarget,l.namespace),a),r=c||t.data("featherlight-persisted")||new s(o,n);"shared"===r.persist?c=r:!1!==r.persist&&t.data("featherlight-persisted",r),n.$currentTarget.blur&&n.$currentTarget.blur(),r.open(e)};return i.on(l.openTrigger+"."+l.namespace,l.filter,t),{filter:l.filter,handler:t}},current:function(){var e=this.opened();return e[e.length-1]||null},opened:function(){var t=this;return i(),u.grep(r,function(e){return e instanceof t})},close:function(e){var t=this.current();if(t)return t.close(e)},_onReady:function(){var r=this;if(r.autoBind){var i=u(r.autoBind);i.each(function(){r.attach(u(this))}),u(document).on("click",r.autoBind,function(e){if(!e.isDefaultPrevented()){var t=u(e.currentTarget);if(i.length!==(i=i.add(t)).length){var n=r.attach(t);(!n.filter||0<u(e.target).parentsUntil(t,n.filter).length)&&n.handler(e)}}})}},_callbackChain:{onKeyUp:function(e,t){return 27===t.keyCode?(this.closeOnEsc&&u.featherlight.close(t),!1):e(t)},beforeOpen:function(e,t){return u(document.documentElement).addClass("with-featherlight"),this._previouslyActive=document.activeElement,this._$previouslyTabbable=u("a, input, select, textarea, iframe, button, iframe, [contentEditable=true]").not("[tabindex]").not(this.$instance.find("button")),this._$previouslyWithTabIndex=u("[tabindex]").not('[tabindex="-1"]'),this._previousWithTabIndices=this._$previouslyWithTabIndex.map(function(e,t){return u(t).attr("tabindex")}),this._$previouslyWithTabIndex.add(this._$previouslyTabbable).attr("tabindex",-1),document.activeElement.blur&&document.activeElement.blur(),e(t)},afterClose:function(e,t){var n=e(t),r=this;return this._$previouslyTabbable.removeAttr("tabindex"),this._$previouslyWithTabIndex.each(function(e,t){u(t).attr("tabindex",r._previousWithTabIndices[e])}),this._previouslyActive.focus(),0===c.opened().length&&u(document.documentElement).removeClass("with-featherlight"),n},onResize:function(e,t){return this.resize(this.$content.naturalWidth,this.$content.naturalHeight),e(t)},afterContent:function(e,t){var n=e(t);return this.$instance.find("[autofocus]:not([disabled])").focus(),this.onResize(t),n}}}),u.featherlight=c,u.fn.featherlight=function(e,t){return c.attach(this,e,t),this},u(document).ready(function(){c._onReady()})}else"console"in window&&window.console.info("Too much lightness, Featherlight needs jQuery.");function c(e,t){if(!(this instanceof c)){var n=new c(e,t);return n.open(),n}this.id=c.id++,this.setup(e,t),this.chainCallbacks(c._callbackChain)}}(jQuery);
\ No newline at end of file
