Categories block: Escape label (WordPress#65540)

* Categories block: Escape label Escape the label attribute before output inside the label HTML element, using esc_html(). * Categories: Switch escaping function Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks. Co-authored-by: carolinan <[email protected]> Co-authored-by: cbravobernal <[email protected]>
huubl · Oct 2, 2024 · 8339b8a · 8339b8a
1 parent 78dc0d4
commit 8339b8a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/block-library/src/categories/index.php b/packages/block-library/src/categories/index.php
@@ -49,7 +49,7 @@ function render_block_core_categories( $attributes, $content, $block ) {
 
 		$show_label     = empty( $attributes['showLabel'] ) ? ' screen-reader-text' : '';
 		$default_label  = $taxonomy->label;
-		$label_text     = ! empty( $attributes['label'] ) ? $attributes['label'] : $default_label;
+		$label_text     = ! empty( $attributes['label'] ) ? wp_kses_post( $attributes['label'] ) : $default_label;
 		$wrapper_markup = '<div %1$s><label class="wp-block-categories__label' . $show_label . '" for="' . esc_attr( $id ) . '">' . $label_text . '</label>%2$s</div>';
 		$items_markup   = wp_dropdown_categories( $args );
 		$type           = 'dropdown';