Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What?
This PR escapes the
label
block attribute in the categories block withwp_kses_post()
before printing it inside the<label>
HTML element.The PR addresses feedback left during code review of the package sync for WordPress 6.7.
Why?
For security reasons it is best practise to escape user-provided content late, before output.
wp_kses_post()
is used to allow the HTML tags allowed in the RichText field, and to be consistent with the escaping of other similar labels in other blocks.How?
This PR escapes the
label
block attribute withwp_kses_post()
before printing it inside the<label>
HTML element.Testing Instructions
Add a categories block.
In the block settings sidebar, enable the options "Display as dropdown" and "Show label".
Enter a custom label text. Type some random HTML tags, then select parts of the text and enable a style setting such as bold, or use the dropdown option to add an inline image, etc.
In the editor, the label is entered inside a RichText field and escaped with the help of the esc-html package.
View the content of the label in the editor and front and confirm that there are no issues that may be caused by double escaping. The style and inline image should continue to work on the front of the site.