From db0d3dba3ff8a81d101fbac9e2e94abcef2baa65 Mon Sep 17 00:00:00 2001 From: tellthemachines Date: Tue, 9 Apr 2024 15:46:18 +1000 Subject: [PATCH] Fully escape the display names of users and commenters in the Avatar block. (#60579) Co-authored-by: johnbillion Co-authored-by: andrewserong --- packages/block-library/src/avatar/index.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/block-library/src/avatar/index.php b/packages/block-library/src/avatar/index.php index f6e3f6a7eeaf2..5a821f5573a05 100644 --- a/packages/block-library/src/avatar/index.php +++ b/packages/block-library/src/avatar/index.php @@ -97,7 +97,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s author archive, opens in a new tab)' ), $author_name ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s author archive, opens in a new tab)' ), $author_name ) ) . '"'; } // translators: %1$s: Author archive link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', get_author_posts_url( $author_id ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block ); @@ -124,7 +124,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Comment Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s website link, opens in a new tab)' ), $comment->comment_author ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s website link, opens in a new tab)' ), $comment->comment_author ) ) . '"'; } // translators: %1$s: Comment Author website link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', esc_url( $comment->comment_author_url ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block );