diff --git a/CHANGELOG b/CHANGELOG
index 4a3737821..b8c183f69 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -34,6 +34,7 @@ CHANGELOG Roundcube Webmail
 - Wash position:fixed style in HTML mail for better security (#5264)
 - Fix bug where memcache_debug didn't work for session operations
 - Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
+- Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
 
 RELEASE 1.2.1
 -------------
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 4012c24cc..10a9b09c0 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -850,13 +850,15 @@ function rcmail_prepare_message_body()
     unset($plugin);
 
     // add blocked.gif attachment (#1486516)
-    if ($isHtml && preg_match('#<img src="program/resources/blocked\.gif"#', $body)) {
+    $regexp = '# src="program/resources/blocked\.gif"#';
+    if ($isHtml && preg_match($regexp, $body)) {
         $content = $RCMAIL->get_resource_content('blocked.gif');
+
         if ($content && ($attachment = rcmail_save_image('blocked.gif', 'image/gif', $content))) {
             $COMPOSE['attachments'][$attachment['id']] = $attachment;
             $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
                 $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
-            $body = preg_replace('#program/resources/blocked\.gif#', $url, $body);
+            $body = preg_replace($regexp, ' src="' . $url . '"', $body);
         }
     }