Escape the HTML in the editor of the posts and post carousel blocks

godaddy-wordpress · Jul 25, 2024 · 93097d6 · 93097d6
1 parent 4a4e73c
commit 93097d6
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -119,6 +119,7 @@
 		"@wordpress/editor": "^13.21.0",
 		"@wordpress/element": "^5.21.0",
 		"@wordpress/env": "^10.1.0",
+		"@wordpress/escape-html": "^3.4.0",
 		"@wordpress/eslint-plugin": "^17.1.0",
 		"@wordpress/hooks": "^3.44.0",
 		"@wordpress/i18n": "^4.44.0",

diff --git a/src/blocks/post-carousel/post-item.js b/src/blocks/post-carousel/post-item.js
@@ -13,6 +13,7 @@ import {
 } from '@wordpress/components';
 import { PlainText } from '@wordpress/block-editor';
 import { RawHTML } from '@wordpress/element';
+import { escapeHTML } from '@wordpress/escape-html';
 import { withSelect } from '@wordpress/data';
 // Disable reason: We choose to use unsafe APIs in our codebase.
 // eslint-disable-next-line @wordpress/no-unsafe-wp-apis
@@ -78,7 +79,7 @@ const PostItem = ( {
 					<RawHTML
 						key="html"
 					>
-						{ excerpt.trim().split( ' ', excerptLength ).join( ' ' ) }
+						{ escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) }
 					</RawHTML>
 				</div>
 				}

diff --git a/src/blocks/posts/edit.js b/src/blocks/posts/edit.js
@@ -13,6 +13,7 @@ import apiFetch from '@wordpress/api-fetch';
 import { __ } from '@wordpress/i18n';
 import { compose, usePrevious } from '@wordpress/compose';
 import { lazy, RawHTML, useState, useEffect, useRef } from '@wordpress/element';
+import { escapeHTML } from '@wordpress/escape-html';
 import { addQueryArgs } from '@wordpress/url';
 // Disable reason: We choose to use unsafe APIs in our codebase.
 // eslint-disable-next-line @wordpress/no-unsafe-wp-apis
@@ -435,8 +436,8 @@ const PostsEdit = ( props ) => {
 														key="html"
 													>
 														{ excerptLength < excerpt.trim().split( ' ' ).length
-															? excerpt.trim().split( ' ', excerptLength ).join( ' ' ) + '…'
-															: excerpt.trim().split( ' ', excerptLength ).join( ' ' ) }
+															? escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) + '…'
+															: escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) }
 													</RawHTML>
 												</div>
 											}

diff --git a/yarn.lock b/yarn.lock
@@ -4172,6 +4172,13 @@
   dependencies:
     "@babel/runtime" "^7.16.0"
 
+"@wordpress/escape-html@^3.4.0":
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/@wordpress/escape-html/-/escape-html-3.4.0.tgz#ec625d409b018ff68d6081c66586fd420f74e122"
+  integrity sha512-KcUv+s0J/LEZEEvd+E3IkNCeW8wde0TjO+1HrcfvqI8Rfuc0zOAZeS/6ZqIeX0m/mhQ0xS2Y3e8hsnU+wAG6Mw==
+  dependencies:
+    "@babel/runtime" "^7.16.0"
+
 "@wordpress/eslint-plugin@^12.7.0":
   version "12.9.0"
   resolved "https://registry.yarnpkg.com/@wordpress/eslint-plugin/-/eslint-plugin-12.9.0.tgz#c49f0a523c8c72ade28c2b86a975668832b22938"