Late escape our block content

includes/blocks/class-element.php

@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Element extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,

includes/blocks/class-loop-item.php

@@ -45,14 +45,6 @@ public static function render_block( $attributes, $block_content, $block ) {
 			}
 		}
 
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,

includes/blocks/class-media.php

@@ -28,16 +28,6 @@ class GenerateBlocks_Block_Media extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$link_attributes = $attributes['linkHtmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-				'link_html_attrs'  => $link_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,

includes/blocks/class-query.php

@@ -136,14 +136,6 @@ public static function render_block( $attributes, $block_content, $block ) {
 			)
 		)->render( array( 'dynamic' => false ) );
 
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$parsed_content   = generateblocks_with_escaped_attributes(
-			$parsed_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		if ( $instant_pagination && class_exists( 'WP_HTML_Tag_Processor' ) ) {
 			$processor = new WP_HTML_Tag_Processor( $parsed_content );
 

includes/blocks/class-shape.php

@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Shape extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,

includes/blocks/class-text.php

@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Text extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,

includes/functions.php

@@ -2147,6 +2147,12 @@ function generateblocks_with_escaped_attributes( $content, $args = [] ) {
 	$tags_processed = 0;
 
 	while ( $processor->next_tag() && $tags_processed < $max_tags ) {
+		$tag = $processor->get_tag();
+
+		if ( 'STYLE' === $tag ) {
+			continue;
+		}
+
 		foreach ( $processor->get_attribute_names_with_prefix( '' ) as $name ) {
 			$attribute_value = $processor->get_attribute( $name );
 			$escaped_value   = generateblocks_get_escaped_html_attribute( $name, $attribute_value );
@@ -2164,3 +2170,21 @@ function generateblocks_with_escaped_attributes( $content, $args = [] ) {
 
 	return $content;
 }
+
+/**
+ * Get a list of our v1 block names.
+ *
+ * @since 2.0.0
+ * @return array The block names.
+ */
+function generateblocks_get_v1_block_names() {
+	return [
+		'generateblocks/button-container',
+		'generateblocks/button',
+		'generateblocks/container',
+		'generateblocks/grid',
+		'generateblocks/headline',
+		'generateblocks/image',
+		'generateblocks/query-loop',
+	];
+}

includes/general.php

@@ -681,3 +681,41 @@ function generateblocks_admin_head_scripts() {
 		$permission_object // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	);
 }
+
+add_filter( 'render_block', 'generateblocks_do_html_attributes_escaping', 20, 2 );
+/**
+ * Filter the rendered block content and escape HTML attributes.
+ *
+ * @param string $content The block content about to be appended to the post content.
+ * @param array  $block    The full block, including name and attributes.
+ * @return string
+ */
+function generateblocks_do_html_attributes_escaping( $content, $block ) {
+	$html_attributes = $block['attrs']['htmlAttributes'] ?? [];
+	$link_attributes = $block['attrs']['linkHtmlAttributes'] ?? [];
+
+	if ( empty( $html_attributes ) && empty( $link_attributes ) ) {
+		return $content;
+	}
+
+	$v1_block_names  = generateblocks_get_v1_block_names();
+	$block_name      = $block['blockName'] ?? '';
+
+	// Only do this for our non-v1 blocks.
+	if (
+		! generateblocks_str_starts_with( $block_name, 'generateblocks' ) ||
+		in_array( $block_name, $v1_block_names, true )
+	) {
+		return $content;
+	}
+
+	$content = generateblocks_with_escaped_attributes(
+		$content,
+		[
+			'block_html_attrs' => $html_attributes,
+			'link_html_attrs'  => $link_attributes,
+		]
+	);
+
+	return $content;
+}