From e07976f70d69ca565a554509f9958b16136cb0c9 Mon Sep 17 00:00:00 2001 From: tellthemachines Date: Tue, 9 Apr 2024 15:46:18 +1000 Subject: [PATCH] Fully escape the display names of users and commenters in the Avatar block. (#60579) Co-authored-by: johnbillion Co-authored-by: andrewserong --- packages/block-library/src/avatar/index.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/block-library/src/avatar/index.php b/packages/block-library/src/avatar/index.php index d404fb81ca357..ba6a5e043c173 100644 --- a/packages/block-library/src/avatar/index.php +++ b/packages/block-library/src/avatar/index.php @@ -49,7 +49,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s author archive, opens in a new tab)' ), $author_name ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s author archive, opens in a new tab)' ), $author_name ) ) . '"'; } // translators: %1$s: Author archive link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', esc_url( get_author_posts_url( $author_id ) ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block ); @@ -76,7 +76,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Comment Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s website link, opens in a new tab)' ), $comment->comment_author ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s website link, opens in a new tab)' ), $comment->comment_author ) ) . '"'; } // translators: %1$s: Comment Author website link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', esc_url( $comment->comment_author_url ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block );