Skip to content

Commit f5d9c6e

Browse files
alextuanalextuan
committed
Release new version 2.7.6
= 2.7.6 - 2025/10/13 = * This release has a security hardening patch and compatibility with WordPress 6.8.3 - please upgrade now. * Tweak - Tested for compatibility with WordPress 6.8.3 * Security - Fixed HTML attribute injection vulnerability
1 parent 5867bd3 commit f5d9c6e

File tree

3 files changed

+57
-17
lines changed

3 files changed

+57
-17
lines changed

a3-lazy-load.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@
22
/*
33
Plugin Name: a3 Lazy Load
44
Description: Speed up your site and enhance frontend user's visual experience in PC's, Tablets and mobile with a3 Lazy Load.
5-
Version: 2.7.5
5+
Version: 2.7.6
66
Author: a3rev Software
77
Author URI: https://a3rev.com/
88
Requires at least: 6.0
9-
Tested up to: 6.8.1
9+
Tested up to: 6.8.3
1010
Text Domain: a3-lazy-load
1111
Domain Path: /languages
1212
License: GPLv2 or later
@@ -31,7 +31,7 @@
3131

3232
define( 'A3_LAZY_LOAD_KEY', 'a3_lazy_load' );
3333
define( 'A3_LAZY_LOAD_PREFIX', 'a3_lazy_load_' );
34-
define( 'A3_LAZY_VERSION', '2.7.5' );
34+
define( 'A3_LAZY_VERSION', '2.7.6' );
3535
define( 'A3_LAZY_LOAD_G_FONTS', false );
3636

3737
use \A3Rev\LazyLoad\FrameWork;

classes/class-a3-lazy-load.php

Lines changed: 44 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -427,13 +427,21 @@ protected function _filter_images( $content, $include_noscript = null ) {
427427
// replace the src and add the data-src attribute
428428
$replaceHTML = $imgHTML;
429429

430-
if ( ! preg_match( "/ data-src=['\"]/is", $replaceHTML ) ) {
431-
$replaceHTML = preg_replace( '/<img(.*?)src=/is', '<img$1src="' . $this->_placeholder_url . '" data-lazy-type="image" data-src=', $replaceHTML );
432-
} elseif ( preg_match( "/ src=['\"]/is", $replaceHTML ) ) {
433-
$replaceHTML = preg_replace( '/ src=(["\'])(.*?)["\']/is', ' src="' . $this->_placeholder_url . '"', $replaceHTML );
430+
if ( ! preg_match( "/\\sdata-src=['\"]/is", $replaceHTML ) ) {
431+
$replaceHTML = preg_replace(
432+
'/<img\\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\\s+src=(["\'])(.*?)\2/is',
433+
'<img$1 src="' . $this->_placeholder_url . '" data-lazy-type="image" data-src=$2$3$2',
434+
$replaceHTML
435+
);
436+
} elseif ( preg_match( "/\\s+src=['\"]/is", $replaceHTML ) ) {
437+
$replaceHTML = preg_replace( '/\\s+src=(["\'])(.*?)\1/is', ' src="' . $this->_placeholder_url . '"', $replaceHTML );
434438
}
435439

436-
$replaceHTML = preg_replace( '/<img(.*?)srcset=/is', '<img$1srcset="" data-srcset=', $replaceHTML );
440+
$replaceHTML = preg_replace(
441+
'/<img\\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\\s+srcset=(["\'])(.*?)\2/is',
442+
'<img$1 srcset="" data-srcset=$2$3$2',
443+
$replaceHTML
444+
);
437445

438446
// add the lazy class to the img element
439447
if ( preg_match( '/class=["\']/i', $replaceHTML ) ) {
@@ -476,7 +484,11 @@ protected function _filter_images( $content, $include_noscript = null ) {
476484
$i++;
477485
// replace the srcset and add the data-srcset attribute
478486
$replaceHTML = '';
479-
$replaceHTML = preg_replace( '/<source(.*?)srcset=/is', '<source$1srcset="" data-srcset=', $imgHTML );
487+
$replaceHTML = preg_replace(
488+
'/<source\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\s+srcset=(["\'])(.*?)\2/is',
489+
'<source$1 srcset="" data-srcset=$2$3$2',
490+
$imgHTML
491+
);
480492

481493
// add the lazy class to the img element
482494
if ( preg_match( '/class=["\']/i', $replaceHTML ) ) {
@@ -579,7 +591,11 @@ protected function _filter_videos( $content, $include_noscript = null ) {
579591
$i++;
580592
// replace the src and add the data-src attribute
581593
$replaceHTML = '';
582-
$replaceHTML = preg_replace( '/iframe(.*?)src=/is', 'iframe$1 data-lazy-type="iframe" data-src=', $imgHTML );
594+
$replaceHTML = preg_replace(
595+
'/<iframe\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\s+src=(["\'])(.*?)\2/is',
596+
'<iframe$1 data-lazy-type="iframe" data-src=$2$3$2',
597+
$imgHTML
598+
);
583599

584600
// add the lazy class to the img element
585601
if ( preg_match( '/class=["\']/i', $replaceHTML ) ) {
@@ -624,12 +640,24 @@ protected function _filter_videos( $content, $include_noscript = null ) {
624640

625641

626642
$replaceHTML = '';
627-
$replaceHTML = preg_replace( '/video(.*?)src=/is', 'video$1 data-lazy-type="video" data-src=', $imgHTML );
643+
$replaceHTML = preg_replace(
644+
'/<video\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\s+src=(["\'])(.*?)\2/is',
645+
'<video$1 data-lazy-type="video" data-src=$2$3$2',
646+
$imgHTML
647+
);
628648

629649
if ( ! preg_match( "/ data-poster=['\"]/is", $replaceHTML ) ) {
630-
$replaceHTML = preg_replace( '/video(.*?)poster=/is', 'video$1poster="' . $this->_placeholder_url . '" data-lazy-type="video" data-poster=', $replaceHTML );
631-
} elseif ( preg_match( "/ poster=['\"]/is", $replaceHTML ) ) {
632-
$replaceHTML = preg_replace( '/ poster=(["\'])(.*?)["\']/is', ' poster="' . $this->_placeholder_url . '"', $replaceHTML );
650+
$replaceHTML = preg_replace(
651+
'/<video\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\s+poster=(["\'])(.*?)\2/is',
652+
'<video$1 poster="' . $this->_placeholder_url . '" data-lazy-type="video" data-poster=$2$3$2',
653+
$replaceHTML
654+
);
655+
} elseif ( preg_match( "/\sposter=['\"]/is", $replaceHTML ) ) {
656+
$replaceHTML = preg_replace(
657+
'/\sposter=(["\'])(.*?)\1/is',
658+
' poster="' . $this->_placeholder_url . '"',
659+
$replaceHTML
660+
);
633661
} else {
634662
$replaceHTML = preg_replace( '/<video/is', '<video poster="' . $this->_placeholder_url . '"', $replaceHTML );
635663
}
@@ -678,7 +706,11 @@ protected function _filter_videos( $content, $include_noscript = null ) {
678706
// replace the src and add the data-src attribute
679707
$replaceHTML = '';
680708
//$replaceHTML = str_replace("src", 'data-src', $imgHTML);
681-
$replaceHTML = preg_replace( '/embed(.*?)src=/is', 'embed$1 data-lazy-type="video" data-src=', $imgHTML );
709+
$replaceHTML = preg_replace(
710+
'/<embed\b((?:(?:"[^"]*")|(?:\'[^\']*\')|[^"\'<>])*)\s+src=(["\'])(.*?)\2/is',
711+
'<embed$1 data-lazy-type="video" data-src=$2$3$2',
712+
$imgHTML
713+
);
682714
// add the lazy class to the img element
683715
if ( preg_match( '/class=["\']/i', $replaceHTML ) ) {
684716
$replaceHTML = preg_replace( '/class=(["\'])(.*?)["\']/is', 'class=$1lazy lazy-hidden $2$1', $replaceHTML );

readme.txt

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@
22
Contributors: a3rev, a3rev Software, nguyencongtuan
33
Tags: a3 lazy load, Lazy Loading, image lazy load, lazyload
44
Requires at least: 6.0
5-
Tested up to: 6.8.1
6-
Stable tag: 2.7.5
5+
Tested up to: 6.8.3
6+
Stable tag: 2.7.6
77
License: GPLv3
88
License URI: http://www.gnu.org/licenses/gpl-3.0.html
99

@@ -202,6 +202,11 @@ Filter tags to add to class name of theme to exclude lazy load on images or vide
202202

203203
== Changelog ==
204204

205+
= 2.7.6 - 2025/10/13 =
206+
* This release has a security hardening patch and compatibility with WordPress 6.8.3 - please upgrade now.
207+
* Tweak - Tested for compatibility with WordPress 6.8.3
208+
* Security - Fixed HTML attribute injection vulnerability
209+
205210
= 2.7.5 - 2025/06/19 =
206211
* This maintenance release has 1 bug fix
207212
* Fix - Make the _load_textdomain_just_in_time is called correctly
@@ -650,6 +655,9 @@ Filter tags to add to class name of theme to exclude lazy load on images or vide
650655

651656
== Upgrade Notice ==
652657

658+
= 2.7.6 =
659+
This release has a security hardening patch please upgrade now.
660+
653661
= 2.7.5 =
654662
* This maintenance release has 1 bug fix
655663

0 commit comments

Comments
 (0)