Fix security and logic bugs in image generator and OG tags

- Fix null-dereference: check !$post with || before accessing post_type
- Sanitize $_GET['post'] with absint() before use
- Escape OG tag attribute values with esc_attr()/esc_url()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

includes/featured-image-generator.php

@@ -115,12 +115,14 @@ add_action('init', 'add_image_generator_endpoint');
 
 function handle_image_request() {
     if (!isset($_GET['post'])) return;
-    
-    $post_id = $_GET['post'];
+
+    $post_id = absint( $_GET['post'] );
+    if ( $post_id <= 0 ) return;
+
     $post = get_post($post_id);
 
     // Verify post type
-    if (!$post && $post->post_type !== 'sp_event') return;
+    if (!$post || $post->post_type !== 'sp_event') return;
 
     // Get associated teams from post meta
     $team_ids = get_post_meta($post_id, 'sp_team', false); // false to get an array of values

includes/open-graph-tags.php

@@ -189,10 +189,10 @@ function custom_open_graph_tags_with_sportspress_integration() {
             $description .= " " . $post->post_content;
             $image = asc_sp_event_matchup_image_url( $post );
             echo '<meta property="og:type" content="article" />' . "\n";
-            echo '<meta property="og:image" content="'. $image . '" />' . "\n";
-            echo '<meta property="og:title" content="' . $title . '" />' . "\n";
-            echo '<meta property="og:description" content="' . $description . '" />' . "\n";
-            echo '<meta property="og:url" content="' . get_permalink() . '" />' . "\n";
+            echo '<meta property="og:image" content="' . esc_url( $image ) . '" />' . "\n";
+            echo '<meta property="og:title" content="' . esc_attr( $title ) . '" />' . "\n";
+            echo '<meta property="og:description" content="' . esc_attr( $description ) . '" />' . "\n";
+            echo '<meta property="og:url" content="' . esc_url( get_permalink() ) . '" />' . "\n";
         }
     }
 }