Commit 035167abe92 for woocommerce

commit 035167abe92403ea66eebf49613ce47b7629db23
Author: Karol Manijak <20098064+kmanijak@users.noreply.github.com>
Date:   Fri May 22 13:59:56 2026 +0200

    Fix image attribute output in product gallery dialog (#64673)

    * Escape image attribute values in product gallery dialog

    * Fix loading attribute output in product gallery dialog

    * Add changelog entry for product gallery dialog image fixes

    * Remove broken loading attribute from product gallery dialog images

diff --git a/plugins/woocommerce/changelog/fix-product-gallery-dialog-img-attrs b/plugins/woocommerce/changelog/fix-product-gallery-dialog-img-attrs
new file mode 100644
index 00000000000..590484ccd0a
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-product-gallery-dialog-img-attrs
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix attribute escaping in product gallery dialog images and remove the broken loading attribute so dialog images render eagerly as intended
diff --git a/plugins/woocommerce/src/Blocks/BlockTypes/ProductGallery.php b/plugins/woocommerce/src/Blocks/BlockTypes/ProductGallery.php
index ac8b9e28302..7d6a33846a3 100644
--- a/plugins/woocommerce/src/Blocks/BlockTypes/ProductGallery.php
+++ b/plugins/woocommerce/src/Blocks/BlockTypes/ProductGallery.php
@@ -37,14 +37,13 @@ class ProductGallery extends AbstractBlock {
 	 */
 	protected function render_dialog( $images ) {
 		$images_html = '';
-		foreach ( $images as $index => $image ) {
-			$id           = $image['id'];
-			$src          = $image['src'];
-			$srcset       = $image['srcset'];
-			$sizes        = $image['sizes'];
-			$alt          = $image['alt'];
-			$loading      = 0 === $index ? 'fetchpriority="high"' : 'loading="lazy"';
-			$images_html .= "<img data-image-id='{$id}' data-wp-watch='callbacks.toggleImageVisibility' src='{$src}' srcset='{$srcset}' sizes='{$sizes}' loading='{$loading}' decoding='async' alt='{$alt}' />";
+		foreach ( $images as $image ) {
+			$id           = esc_attr( $image['id'] );
+			$src          = esc_url( $image['src'] );
+			$srcset       = esc_attr( $image['srcset'] );
+			$sizes        = esc_attr( $image['sizes'] );
+			$alt          = esc_attr( $image['alt'] );
+			$images_html .= "<img data-image-id='{$id}' data-wp-watch='callbacks.toggleImageVisibility' src='{$src}' srcset='{$srcset}' sizes='{$sizes}' decoding='async' alt='{$alt}' />";
 		}
 		ob_start();
 		?>
@@ -66,7 +65,7 @@ class ProductGallery extends AbstractBlock {
 					</button>
 				</div>
 				<div class="wc-block-product-gallery-dialog__content">
-						<?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Output is already escaped by WooCommerce. ?>
+						<?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Attribute values are escaped above when building $images_html. ?>
 						<?php echo $images_html; ?>
 				</div>
 			</dialog>