From 524e863d209dd4eeef966cd4e375444e67ba9563 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 11:23:09 +0000
Subject: [PATCH 1/9] Initial pass

---
 packages/block-library/src/latest-comments/index.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index 3e649bbf5f749..e1634744d2a59 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -28,7 +28,7 @@
 function wp_latest_comments_draft_or_post_title( $post = 0 ) {
 	$title = get_the_title( $post );
 	if ( empty( $title ) ) {
-		$title = __( '(no title)' );
+		$title = esc_html__( '(no title)' );
 	}
 	return esc_html( $title );
 }
@@ -61,7 +61,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 		_prime_post_caches( $post_ids, strpos( get_option( 'permalink_structure' ), '%category%' ), false );
 
 		foreach ( $comments as $comment ) {
-			$list_items_markup .= '<li class="wp-block-latest-comments__comment">';
+			$list_items_markup .= '<li class="' . esc_attr( 'wp-block-latest-comments__comment' ) . '">';
 			if ( $attributes['displayAvatar'] ) {
 				$avatar = get_avatar(
 					$comment,
@@ -69,7 +69,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 					'',
 					'',
 					array(
-						'class' => 'wp-block-latest-comments__comment-avatar',
+						'class' => esc_attr( 'wp-block-latest-comments__comment-avatar' ),
 					)
 				);
 				if ( $avatar ) {
@@ -106,7 +106,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 				$list_items_markup .= sprintf(
 					'<time datetime="%1$s" class="wp-block-latest-comments__comment-date">%2$s</time>',
 					esc_attr( get_comment_date( 'c', $comment ) ),
-					date_i18n( get_option( 'date_format' ), get_comment_date( 'U', $comment ) )
+					esc_html( date_i18n( get_option( 'date_format' ), get_comment_date( 'U', $comment ) ) )
 				);
 			}
 			$list_items_markup .= '</footer>';
@@ -130,7 +130,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 	if ( empty( $comments ) ) {
 		$classnames[] = 'no-comments';
 	}
-	$wrapper_attributes = get_block_wrapper_attributes( array( 'class' => implode( ' ', $classnames ) ) );
+	$wrapper_attributes = get_block_wrapper_attributes( array( 'class' => esc_attr( implode( ' ', $classnames ) ) ) );
 
 	return ! empty( $comments ) ? sprintf(
 		'<ol %1$s>%2$s</ol>',
@@ -139,7 +139,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 	) : sprintf(
 		'<div %1$s>%2$s</div>',
 		$wrapper_attributes,
-		__( 'No comments to show.' )
+		esc_html__( 'No comments to show.' )
 	);
 }
 

From 820c6a5387b416895f7312aa06b0e5547a156ee5 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 11:23:43 +0000
Subject: [PATCH 2/9] Escape comment excerpt

---
 packages/block-library/src/latest-comments/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index e1634744d2a59..ffa3d3d2041c5 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -111,7 +111,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 			}
 			$list_items_markup .= '</footer>';
 			if ( $attributes['displayExcerpt'] ) {
-				$list_items_markup .= '<div class="wp-block-latest-comments__comment-excerpt">' . wpautop( get_comment_excerpt( $comment ) ) . '</div>';
+				$list_items_markup .= '<div class="wp-block-latest-comments__comment-excerpt">' . esc_html( wpautop( get_comment_excerpt( $comment ) ) ) . '</div>';
 			}
 			$list_items_markup .= '</article></li>';
 		}

From 7d00f3c58e217986253aa3e70260d7434a37b816 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 11:24:08 +0000
Subject: [PATCH 3/9] Escape comment post title

---
 packages/block-library/src/latest-comments/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index ffa3d3d2041c5..a42df7e2f6dc5 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -93,7 +93,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 
 			// `_draft_or_post_title` calls `esc_html()` so we don't need to wrap that call in
 			// `esc_html`.
-			$post_title = '<a class="wp-block-latest-comments__comment-link" href="' . esc_url( get_comment_link( $comment ) ) . '">' . wp_latest_comments_draft_or_post_title( $comment->comment_post_ID ) . '</a>';
+			$post_title = '<a class="wp-block-latest-comments__comment-link" href="' . esc_url( get_comment_link( $comment ) ) . '">' . esc_html( wp_latest_comments_draft_or_post_title( $comment->comment_post_ID ) ) . '</a>';
 
 			$list_items_markup .= sprintf(
 				/* translators: 1: author name (inside <a> or <span> tag, based on if they have a URL), 2: post title related to this comment */

From 1a0602e89b0c92c1c841e1f0759a7c396e65d33c Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 11:24:47 +0000
Subject: [PATCH 4/9] Escape author name

---
 packages/block-library/src/latest-comments/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index a42df7e2f6dc5..0b986067df854 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -86,9 +86,9 @@ function render_block_core_latest_comments( $attributes = array() ) {
 
 			$author_markup = '';
 			if ( $author_url ) {
-				$author_markup .= '<a class="wp-block-latest-comments__comment-author" href="' . esc_url( $author_url ) . '">' . get_comment_author( $comment ) . '</a>';
+				$author_markup .= '<a class="wp-block-latest-comments__comment-author" href="' . esc_url( $author_url ) . '">' . esc_html( get_comment_author( $comment ) ) . '</a>';
 			} else {
-				$author_markup .= '<span class="wp-block-latest-comments__comment-author">' . get_comment_author( $comment ) . '</span>';
+				$author_markup .= '<span class="wp-block-latest-comments__comment-author">' . esc_html( get_comment_author( $comment ) ) . '</span>';
 			}
 
 			// `_draft_or_post_title` calls `esc_html()` so we don't need to wrap that call in

From 3ec6f656fe83ec3de9c50365658155d290655438 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 14:08:47 +0000
Subject: [PATCH 5/9] Revert escaping of translations

---
 packages/block-library/src/latest-comments/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index 0b986067df854..063f5a7462c9e 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -139,7 +139,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 	) : sprintf(
 		'<div %1$s>%2$s</div>',
 		$wrapper_attributes,
-		esc_html__( 'No comments to show.' )
+		__( 'No comments to show.' )
 	);
 }
 

From d68952855024ee162666695aedc8458d7f5a384a Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 14:10:02 +0000
Subject: [PATCH 6/9] Move Post title escaping at point of output

Previously we were esaping within the function generating the title. Now we escape the result of calling the function.
---
 packages/block-library/src/latest-comments/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index 063f5a7462c9e..21aa519a2c609 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -28,9 +28,9 @@
 function wp_latest_comments_draft_or_post_title( $post = 0 ) {
 	$title = get_the_title( $post );
 	if ( empty( $title ) ) {
-		$title = esc_html__( '(no title)' );
+		$title = __( '(no title)' );
 	}
-	return esc_html( $title );
+	return $title;
 }
 
 /**

From 07e12d83c12019829b4ddeaf12ec216f59f3cb73 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 14:11:21 +0000
Subject: [PATCH 7/9] Revert escaping of hardcoded inlined string

The key here is that they are inlined and not variables
---
 packages/block-library/src/latest-comments/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index 21aa519a2c609..9291bbe9229ca 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -61,7 +61,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 		_prime_post_caches( $post_ids, strpos( get_option( 'permalink_structure' ), '%category%' ), false );
 
 		foreach ( $comments as $comment ) {
-			$list_items_markup .= '<li class="' . esc_attr( 'wp-block-latest-comments__comment' ) . '">';
+			$list_items_markup .= '<li class="wp-block-latest-comments__comment">';
 			if ( $attributes['displayAvatar'] ) {
 				$avatar = get_avatar(
 					$comment,
@@ -69,7 +69,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 					'',
 					'',
 					array(
-						'class' => esc_attr( 'wp-block-latest-comments__comment-avatar' ),
+						'class' => 'wp-block-latest-comments__comment-avatar',
 					)
 				);
 				if ( $avatar ) {

From 20d6c3776a9929b98c6d59ac9d729eb4ed3b2997 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 14:15:23 +0000
Subject: [PATCH 8/9] Revert escape of comment excerpt

This is not escaped when used in Core so is ok
---
 packages/block-library/src/latest-comments/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index 9291bbe9229ca..b95f31f83c404 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -111,7 +111,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 			}
 			$list_items_markup .= '</footer>';
 			if ( $attributes['displayExcerpt'] ) {
-				$list_items_markup .= '<div class="wp-block-latest-comments__comment-excerpt">' . esc_html( wpautop( get_comment_excerpt( $comment ) ) ) . '</div>';
+				$list_items_markup .= '<div class="wp-block-latest-comments__comment-excerpt">' . wpautop( get_comment_excerpt( $comment ) ) . '</div>';
 			}
 			$list_items_markup .= '</article></li>';
 		}

From 63dc1c5aece5590324ef10e1de23b42006443b15 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 14:16:29 +0000
Subject: [PATCH 9/9] Revert escaping get_block_wrapper_attributes

---
 packages/block-library/src/latest-comments/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/latest-comments/index.php b/packages/block-library/src/latest-comments/index.php
index b95f31f83c404..1b340f39fe70f 100644
--- a/packages/block-library/src/latest-comments/index.php
+++ b/packages/block-library/src/latest-comments/index.php
@@ -130,7 +130,7 @@ function render_block_core_latest_comments( $attributes = array() ) {
 	if ( empty( $comments ) ) {
 		$classnames[] = 'no-comments';
 	}
-	$wrapper_attributes = get_block_wrapper_attributes( array( 'class' => esc_attr( implode( ' ', $classnames ) ) ) );
+	$wrapper_attributes = get_block_wrapper_attributes( array( 'class' => implode( ' ', $classnames ) ) );
 
 	return ! empty( $comments ) ? sprintf(
 		'<ol %1$s>%2$s</ol>',