Escape class name to avoid malformed html tag (#20977)

WordPress · Mar 18, 2020 · 46d5f4d · 46d5f4d
1 parent 14d15bf
commit 46d5f4d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/packages/block-library/src/rss/index.php b/packages/block-library/src/rss/index.php
@@ -92,7 +92,7 @@ function render_block_core_rss( $attributes ) {
 		$class .= ' ' . $attributes['className'];
 	}
 
-	return "<ul class='{$class}'>{$list_items}</ul>";
+	return sprintf( "<ul class='%s'>%s</ul>", esc_attr( $class ), $list_items );
 }
 
 /**

diff --git a/packages/block-library/src/search/index.php b/packages/block-library/src/search/index.php
@@ -57,7 +57,7 @@ function render_block_core_search( $attributes ) {
 
 	return sprintf(
 		'<form class="%s" role="search" method="get" action="%s">%s</form>',
-		$class,
+		esc_attr( $class ),
 		esc_url( home_url( '/' ) ),
 		$label_markup . $input_markup . $button_markup
 	);