George Sexton
Forum Replies Created
-
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Still has vulnerability & other issuesThe only vulnerability report I’m aware of was fixed 5 months and 3 weeks ago (the last support post). I confirmed with the reporter that it was resolved. If there is another one, please let me know.
If you could tell me more about the time zone issue I’d be happy to look at it. If you could mail [email protected] a screenshot of the WordPress settings page with Time Zone, and the connectDaily time settings page, along with the error message, I’ll get it fixed.
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Security vulnerabilityThe reporter shows this issue as resolved.
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Security vulnerabilityI’ve pushed up a new release that fixes the issues they communicated to me. I’ve provided the reporting company with a patch so they can vet the changes.
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Security vulnerabilityYes, we’ll be fixing it in the next couple of weeks. It’s a very low risk bug. The “bug bounty” firm that reported this is difficult to work with and I’ve gone through two iterations already to address it. They don’t respond to emails, and when they do it’s usually copy/pasted without actually responding to the asked questions. They finally communicated what the issue was in a specific way about a week ago.
Here is the URL to my plugin:
I kept investigating, and got this:
SVGs aren’t officially treated as images
By default WordPress only considers GIF, JPEG, PNG (and, in recent versions, WebP) as “images.” That check lives inwp_attachment_is_image()— SVGs aren’t on that list.
When you callwp_get_attachment_image(), under the hood it usesimage_downsize()to fetch URL, width and height. Ifwp_attachment_is_image()is false and there’s no metadata for a “full” size,image_downsize()simply returnsfalse, which then causes the<img>generator to skip outputting anywidthorheightattributes. developer.ww.wp.xz.cnThis explains why when I add width and height attributes to my generated output, they’re getting removed. I guess that also means I can’t work around the issue by adding the attributes.
I’m using WordPress 2025 theme, and I’ve also tested with WordPress 2016 theme. I tried adding height/width (see below) and it’s not getting written. I see something is writing a decoding=async (not my code). So it looks like something in WordPress 6.8 is fiddling my output.
I ran this through ChatGPT, and it pointed out something that appears pretty subtle. I’ve looked through it, and it seems plausible, so I’ll post it. ChatGPT is correct in that there’s no height/width attributes because the height and width are set on the element via CSS.
Why SVGs fail to loadWhen the PHP side transforms your
<img src="…">into a lazy element, it:- Moves
src→data-src - Inserts a 1 × 1 transparent GIF placeholder (
src="data:image/gif;base64,…") - Attempts to set explicit
widthandheightin thestyleso the placeholder still takes up space
That “set dimensions” step looks like this:
$width = (int) $element->get_attribute_value( 'width' );
$height = (int) $element->get_attribute_value( 'height' );
// Try to guess from the URL (e.g. filename-200x300.png)
if ( empty( $width ) || empty( $height ) ) {
list( $width, $height ) = $this->url_utils->guess_dimensions_from_image_url( $src_image_url );
}
// Finally, fall back to PHP’s getimagesize() for local files
if ( empty( $width ) || empty( $height ) ) {
$info = $this->server_utils->get_image_info( $src_image_url );
if ( ! empty( $info['width'] ) && ! empty( $info['height'] ) ) {
$width = $info['width'];
$height = $info['height'];
}
}
// Then it injects:
if ( $width && $height ) {
$element->add_or_update_attribute(
new Element_Attribute( 'style', "width:{$width}px;height:{$height}px;{$existing_style}" )
);
}SVGs typically lack HTML
width/heightattributes and their URLs usually don’t encode dimensions in the filename, and PHP’sgetimagesize()often cannot extract native SVG dimensions unless your environment supports it. As a result:- No
width/heightare set on the placeholder<img> - It collapses to 0 × 0 pixels
- The IntersectionObserver in the JS never “sees” it enter the viewport
- Therefore the real SVG (
data-src) is never swapped in
Summary
- JS location:
app/assets/js/smush-lazy-load.min.js(enqueued inclass-lazy-load-controller.php) - Underlying cause for SVG: the placeholder image ends up with no dimensions (0×0), so the lazy-load script never triggers the swap back to the real SVG source. To fix, either give your SVG
<img>explicitwidth/height, or adjust the plugin’s dimension-detection logic (e.g. parse the SVG’sviewBox) so that placeholders retain visible size.
On my demo site that has my plugin, I installed smush. I went through and did the install. The only option I changed from the default was “Compress My Full Size Images” during the wizard setup.
After doing that, my icons are now:
<img decoding="async" id="imgNavLeftcdaily_monthview" data-year="2025" data-month="6" data-direction="-1" class=CDNavIcon data-src="https://wpdemo.mhsoftware.com/wp-content/plugins/connect-daily-web-calendar/images/left-arrow.svg" alt="Previous Month" title="Previous Month" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" class="lazyload">If I turn off lazy loading for .svg then I get:
<img decoding="async" data-year="2025" data-month="6" data-direction="1" class=CDNavIcon src="https://wpdemo.mhsoftware.com/wp-content/plugins/connect-daily-web-calendar/images/right-arrow.svg" alt="Next Month" title="Next Month">This appears to be the relevant code from your plugin:
// File: core/lazy-load/class-lazy-load-transform.php
// Lines ~117–123
private function update_element_attributes_for_lazy_load( Element $element, $replace_attributes ) {
// Move each real attribute (e.g. 'src', 'srcset', 'sizes') into data-src* versions
$this->replace_attributes_with_data_attributes( $element, $replace_attributes );
// Insert a tiny, blank placeholder src (keep markup valid)
$element->add_attribute(
new Element_Attribute( 'src', self::TEMP_SRC )
);
// Add the CSS class that triggers the JS/CSS lazy-loader
$this->add_lazy_load_class( $element );
}So the code above sticks in the dummy image, and evidently the code that handles lazy loading replaces the src on-demand. But that’s failing for some reason. I ran the page with the debugger turned on and I’m not seeing anything. By any chance does lazy load try to retrieve images from a compressed image directory?
@wpmudevsupport3 I’ll install smush tomorrow and test it.
Kris,
Let me start over. I’m a plugin vendor also. When customers use my plugin with your plugin, there’s a problem.
Your plugin is attempting to in-line an SVG icon, and only generating a single pixel invisible GIF. Here’s an example of your output code:
<img decoding=”async” id=”imgNavLeftcdaily_monthview” data-year=”2025“
data-month=”6” data-direction=”-1” class=CDNavIcon
data-src=”https://www.mycustomer.net/wp-content/plugins/connect-daily-web-calendar/images/left-arrow.svg“
alt=”Previous Month” title=”Previous Month“
src=”data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==“
class=”lazyload“>My customers then call me with complaints that my product isn’t working. This has happened at least 5 times. This isn’t a problem I can fix by changing a setting in your plugin. I need your help.
You stated in your last post the Smush doesn’t have the ability to compress SVG images. But, as you can see from the included code snippet, it is replacing the SVG content with a GIF. I’m asking you to correct it so that it doesn’t touch them.
Thanks
Kris,
Thanks for responding. Smush is ATTEMPTING to compress SVGs. Perhaps this is just a coding error. Here’s an example output:
<img decoding=”async” id=”imgNavLeftcdaily_monthview” data-year=”2025“
data-month=”6” data-direction=”-1” class=CDNavIcon
data-src=”https://www.mycustomer.net/wp-content/plugins/connect-daily-web-calendar/images/left-arrow.svg“
alt=”Previous Month” title=”Previous Month“
src=”data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==“
class=”lazyload“>Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Hide subscribe and login buttonSusanna,
The dropdown doesn’t show because you only have one configured calendar and you’re viewing by calendar. Since the dropdown if populated would only have one entry, it’s not displayed.
There are some options:
- Create additional calendars. The dropdown will appear as expected.
- Change the calendar to view events type type. This will show the different event types. E.G. Holidays, Luncheons, etc.
- Use the Events filter widget in conjunction with the calendar. You can figure it to show a list of event types. Visitors could then see all events by default, or use the event types widget to restrict the types of events.
If you’d like some help configuring this, please let me know.
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Hide subscribe and login buttonI’m not sure what you mean. The short code does have options for doing a dropdown by event type. There’s also an option where you can create a filter by event type.
Can you give me a little information about how you would like it to appear?
Forum: Plugins
In reply to: [connectDaily Events Calendar Plugin] Hide subscribe and login button@susanna961 You’re using the IFRAME integration. If you use the Short Code or Block integration, you can insert a calendar that doesn’t have those. Here’s an example.
http://wpdemo.mhsoftware.com/calendar-of-events/
Just delete that short-code, click on the calendar icon to open the short code generator.
@kenjigarland I’m so sorry I didn’t see this earlier. For some reason, I didn’t get a notification about it.
I’ve created a new release that addresses this issue.
- Moves
