Let's revive #2 to fix a small issue where esc_url() should be used for strings that appear in a src attribute.

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

• URL attribute values are escaped using the appropriate WP API function.

Implementation Brief

URL attribute values are fully escaped using esc_url in the following methods:

• \Google\Site_Kit\Modules\TagManager::print_gtm_no_js
• \Google\Site_Kit\Modules\TagManager::print_amp_gtm
• \Google\Site_Kit\Core\Util\Tracking::print_gtag_script

Changelog entry

• Update URL attributes to escape the full URLs.