Even if Xara applications are invulnerable to an infected WebP image, assuming one uses such an image and could pass it along untouched to a website build/update, it would then be possible that site can infect others or the designer's computer viewing the page they built unless both parties are using up to date browsers / browser components.