diff --git a/app/Models/Attachment.php b/app/Models/Attachment.php
index 3ce464c7..da44936f 100644
--- a/app/Models/Attachment.php
+++ b/app/Models/Attachment.php
@@ -4,5 +4,5 @@ namespace App\Models;
 
 class Attachment extends NexusModel
 {
-
+    const IMG_EXTENSIONS = ['jpeg', 'jpg', 'png', 'gif', 'webp', 'bmp', 'tif', 'tiff', 'heic'];
 }
diff --git a/include/constants.php b/include/constants.php
index b1438c43..7216ad48 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -1,6 +1,6 @@
 <?php
-defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-30');
+defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.11');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-31');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
diff --git a/include/globalfunctions.php b/include/globalfunctions.php
index 1bec1e64..3cb9de6a 100644
--- a/include/globalfunctions.php
+++ b/include/globalfunctions.php
@@ -1377,35 +1377,33 @@ function filter_src($src)
     if (empty($path)) {
         return $src;
     }
+    $host = parse_url($src, PHP_URL_HOST);
+    if (!empty($host) && $host != $_SERVER['HTTP_HOST']) {
+        return $src;
+    }
     $guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/'));
     if (!file_exists($guessScriptFilename)) {
         return $src;
     }
+    //only allow these
+    $imgExtensions = implode("|", \App\Models\Attachment::IMG_EXTENSIONS);
+    $allowSuffixPattern = "/\.($imgExtensions)/i";
+    if (preg_match($allowSuffixPattern, $path)) {
+        return $src;
+    }
+    $allowScriptPattern = "/(forums|details|offers)\.php/i";
+    if (preg_match($allowScriptPattern, $path)) {
+        return $src;
+    }
     //log danger, deny directly
-    if (is_danger_url($src)) {
-        $msg = "[DANGER_URL]: $src";
+    $dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
+    if (preg_match($dangerScriptsPattern, $path)) {
+        $msg = sprintf( "[DANGER_URL]: $src [%s]", nexus()->getRequestId());
         do_log($msg, "alert");
         write_log($msg, "mod");
-        return "";
     }
-    //only allow these
-    $allowScriptPattern = "/(forums|details|offers)\.php/i";
-    $match = preg_match($allowScriptPattern, $src);
-    if ($match <= 0) {
-        do_log("[NOT_ALLOW_SRC]: $src");
-        return "";
-    }
-    return $src;
-}
-
-function is_danger_url($url): bool
-{
-    $dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
-    $match = preg_match($dangerScriptsPattern, $url);
-    if ($match > 0) {
-        return true;
-    }
-    return false;
+    do_log("[NOT_ALLOW_SRC]: $src with path: $path");
+    return "";
 }
 
 //here must retrieve the real time info, no cache!!!
diff --git a/public/attachment.php b/public/attachment.php
index 4d96c9bf..90522e88 100644
--- a/public/attachment.php
+++ b/public/attachment.php
@@ -35,7 +35,7 @@ if ($Attach->enable_attachment())
 		$ext_l = strrpos($origfilename, ".");
 		$ext = strtolower(substr($origfilename, $ext_l+1, strlen($origfilename)-($ext_l+1)));
 		$banned_ext = array('exe', 'com', 'bat', 'msi');
-		$img_ext = array('jpeg', 'jpg', 'png', 'gif', 'webp', 'bmp', 'tif', 'tiff', 'heic');
+		$img_ext = \App\Models\Attachment::IMG_EXTENSIONS;
 
 		if (!$file || $filesize == 0 || $file["name"] == "") // nothing received
 		{