From e33a3443169f13956ff4735a7b4261c8c4885c79 Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@my.eitc.edu>
Date: Wed, 6 Feb 2019 09:05:13 -0700
Subject: [PATCH] Make sure the output of add_query_arg is escaped properly.

---
 classes/class-live-update.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/class-live-update.php b/classes/class-live-update.php
index c029379e0..c23c62fa7 100644
--- a/classes/class-live-update.php
+++ b/classes/class-live-update.php
@@ -202,7 +202,7 @@ public function heartbeat_received( $response, $data ) {
 					$query_args          = json_decode( $data['wp-stream-heartbeat-query'], true );
 					$query_args['paged'] = $total_pages;
 
-					$response['last_page_link'] = add_query_arg( $query_args, admin_url( 'admin.php' ) );
+					$response['last_page_link'] = esc_url( add_query_arg( $query_args, admin_url( 'admin.php' ) ) );
 				} else {
 					$response['total_pages'] = 0;
 				}