rocket-lazy-load icon indicating copy to clipboard operation
rocket-lazy-load copied to clipboard

Published 20 hours ago verified publisher icon wp-media

Regression related to the 2.4.0 security fix

Open suzoutlet opened this issue 2 weeks ago • 0 comments

Describe the bug When an image contains special characters like image^3.webp, we are stripping the character, and the URL returned is image3.webp instead of image^3.webp. This breaks the image, causing a 404 error.

This is coming from the recent change applied here.

Security: Fix an authenticated Stored Cross-Site Scripting (XSS) vulnerability reported by Pathstack.

To Reproduce Steps to reproduce the behavior:

  1. Installed Lazy Load - Optimize Images plugin (version 2.4.0)
  2. Add an image with the file name including special characters, for example, image^3.webp
  3. Enable LazyLoad for images option.
  4. View the page source and see that the special character is now removed.

Expected behavior We should safely encode special characters instead of removing them, to prevent this kind of issue while still keeping URLs secure.

Screenshots

suzoutlet avatar Oct 23 '25 08:10 suzoutlet