diff --git a/packages/block-library/src/navigation/index.php b/packages/block-library/src/navigation/index.php index d141908425541..9179a22eb34f6 100644 --- a/packages/block-library/src/navigation/index.php +++ b/packages/block-library/src/navigation/index.php @@ -549,13 +549,13 @@ function render_block_core_navigation( $attributes, $content, $block ) { ', - $modal_unique_id, + esc_attr( $modal_unique_id ), $inner_blocks_html, __( 'Open menu' ), // Open button label. __( 'Close menu' ), // Close button label. - implode( ' ', $responsive_container_classes ), - implode( ' ', $open_button_classes ), - $colors['overlay_inline_styles'], + esc_attr( implode( ' ', $responsive_container_classes ) ), + esc_attr( implode( ' ', $open_button_classes ) ), + esc_attr( safecss_filter_attr( $colors['overlay_inline_styles'] ) ), __( 'Menu' ) ); diff --git a/packages/block-library/src/post-featured-image/index.php b/packages/block-library/src/post-featured-image/index.php index 21e6aca445062..281030bf8612e 100644 --- a/packages/block-library/src/post-featured-image/index.php +++ b/packages/block-library/src/post-featured-image/index.php @@ -43,7 +43,7 @@ function render_block_core_post_featured_image( $attributes, $content, $block ) if ( ! empty( $attributes['scale'] ) ) { $image_styles .= "object-fit:{$attributes['scale']};"; } - $featured_image = str_replace( 'src=', "style='$image_styles' src=", $featured_image ); + $featured_image = str_replace( '$featured_image"; diff --git a/packages/block-library/src/rss/index.php b/packages/block-library/src/rss/index.php index b0a31bf2bbd6d..63e7e745e3eb2 100644 --- a/packages/block-library/src/rss/index.php +++ b/packages/block-library/src/rss/index.php @@ -16,7 +16,7 @@ function render_block_core_rss( $attributes ) { $rss = fetch_feed( $attributes['feedURL'] ); if ( is_wp_error( $rss ) ) { - return '
' . __( 'RSS Error:' ) . ' ' . $rss->get_error_message() . '
'; + return '
' . __( 'RSS Error:' ) . ' ' . esc_html( $rss->get_error_message() ) . '
'; } if ( ! $rss->get_item_quantity() ) { @@ -44,8 +44,8 @@ function render_block_core_rss( $attributes ) { if ( $date ) { $date = sprintf( ' ', - date_i18n( get_option( 'c' ), $date ), - date_i18n( get_option( 'date_format' ), $date ) + esc_attr( date_i18n( get_option( 'c' ), $date ) ), + esc_attr( date_i18n( get_option( 'date_format' ), $date ) ) ); } } diff --git a/packages/block-library/src/search/index.php b/packages/block-library/src/search/index.php index fca0318aff8f8..f0f1742bf8cd1 100644 --- a/packages/block-library/src/search/index.php +++ b/packages/block-library/src/search/index.php @@ -276,12 +276,12 @@ function styles_for_block_core_search( $attributes ) { // Add color styles. $has_text_color = ! empty( $attributes['style']['color']['text'] ); if ( $has_text_color ) { - $button_styles[] = sprintf( 'color: %s;', esc_attr( $attributes['style']['color']['text'] ) ); + $button_styles[] = sprintf( 'color: %s;', $attributes['style']['color']['text'] ); } $has_background_color = ! empty( $attributes['style']['color']['background'] ); if ( $has_background_color ) { - $button_styles[] = sprintf( 'background-color: %s;', esc_attr( $attributes['style']['color']['background'] ) ); + $button_styles[] = sprintf( 'background-color: %s;', $attributes['style']['color']['background'] ); } $has_custom_gradient = ! empty( $attributes['style']['color']['gradient'] ); @@ -290,9 +290,9 @@ function styles_for_block_core_search( $attributes ) { } return array( - 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $input_styles ) ) ) : '', - 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $button_styles ) ) ) : '', - 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) : '', + 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $input_styles ) ) ) ) : '', + 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $button_styles ) ) ) ) : '', + 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) ) : '', ); } diff --git a/packages/widgets/src/blocks/legacy-widget/index.php b/packages/widgets/src/blocks/legacy-widget/index.php index 0d4e733d4cb36..8603aa2f32a40 100644 --- a/packages/widgets/src/blocks/legacy-widget/index.php +++ b/packages/widgets/src/blocks/legacy-widget/index.php @@ -46,7 +46,7 @@ function render_block_core_legacy_widget( $attributes ) { if ( isset( $attributes['instance']['encoded'], $attributes['instance']['hash'] ) ) { $serialized_instance = base64_decode( $attributes['instance']['encoded'] ); - if ( wp_hash( $serialized_instance ) !== $attributes['instance']['hash'] ) { + if ( ! hash_equals( wp_hash( $serialized_instance ), (string) $attributes['instance']['hash'] ) ) { return ''; } $instance = unserialize( $serialized_instance ); diff --git a/packages/widgets/src/blocks/widget-group/index.php b/packages/widgets/src/blocks/widget-group/index.php index 6cf6442346a30..8c8584b296d57 100644 --- a/packages/widgets/src/blocks/widget-group/index.php +++ b/packages/widgets/src/blocks/widget-group/index.php @@ -28,7 +28,7 @@ function render_block_core_widget_group( $attributes, $content, $block ) { $html = ''; if ( ! empty( $attributes['title'] ) ) { - $html .= $before_title . $attributes['title'] . $after_title; + $html .= $before_title . esc_html( $attributes['title'] ) . $after_title; } $html .= '
';