From f420032bc9f651cccc317f30d0ceef71696b61f9 Mon Sep 17 00:00:00 2001
From: Tom Usborne <tom@edge22.com>
Date: Mon, 16 Dec 2024 16:17:05 -0500
Subject: [PATCH] Late escape our block content

---
 includes/blocks/class-element.php   |  8 ------
 includes/blocks/class-loop-item.php |  8 ------
 includes/blocks/class-media.php     | 10 --------
 includes/blocks/class-query.php     |  8 ------
 includes/blocks/class-shape.php     |  8 ------
 includes/blocks/class-text.php      |  8 ------
 includes/functions.php              | 24 ++++++++++++++++++
 includes/general.php                | 38 +++++++++++++++++++++++++++++
 8 files changed, 62 insertions(+), 50 deletions(-)

diff --git a/includes/blocks/class-element.php b/includes/blocks/class-element.php
index 7335ef9be..644e5a460 100644
--- a/includes/blocks/class-element.php
+++ b/includes/blocks/class-element.php
@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Element extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,
diff --git a/includes/blocks/class-loop-item.php b/includes/blocks/class-loop-item.php
index 34f920312..220d68787 100644
--- a/includes/blocks/class-loop-item.php
+++ b/includes/blocks/class-loop-item.php
@@ -45,14 +45,6 @@ public static function render_block( $attributes, $block_content, $block ) {
 			}
 		}
 
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,
diff --git a/includes/blocks/class-media.php b/includes/blocks/class-media.php
index 79cc6c3ae..f74680e20 100644
--- a/includes/blocks/class-media.php
+++ b/includes/blocks/class-media.php
@@ -28,16 +28,6 @@ class GenerateBlocks_Block_Media extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$link_attributes = $attributes['linkHtmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-				'link_html_attrs'  => $link_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,
diff --git a/includes/blocks/class-query.php b/includes/blocks/class-query.php
index 71aa871fc..ebb8b27de 100644
--- a/includes/blocks/class-query.php
+++ b/includes/blocks/class-query.php
@@ -136,14 +136,6 @@ public static function render_block( $attributes, $block_content, $block ) {
 			)
 		)->render( array( 'dynamic' => false ) );
 
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$parsed_content   = generateblocks_with_escaped_attributes(
-			$parsed_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		if ( $instant_pagination && class_exists( 'WP_HTML_Tag_Processor' ) ) {
 			$processor = new WP_HTML_Tag_Processor( $parsed_content );
 
diff --git a/includes/blocks/class-shape.php b/includes/blocks/class-shape.php
index 8f599d746..586219911 100644
--- a/includes/blocks/class-shape.php
+++ b/includes/blocks/class-shape.php
@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Shape extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,
diff --git a/includes/blocks/class-text.php b/includes/blocks/class-text.php
index fdd66cd0f..c111b98b8 100644
--- a/includes/blocks/class-text.php
+++ b/includes/blocks/class-text.php
@@ -28,14 +28,6 @@ class GenerateBlocks_Block_Text extends GenerateBlocks_Block {
 	 * @param array  $block         The block.
 	 */
 	public static function render_block( $attributes, $block_content, $block ) {
-		$html_attributes = $attributes['htmlAttributes'] ?? [];
-		$block_content   = generateblocks_with_escaped_attributes(
-			$block_content,
-			[
-				'block_html_attrs' => $html_attributes,
-			]
-		);
-
 		// Add styles to this block if needed.
 		$block_content = generateblocks_maybe_add_block_css(
 			$block_content,
diff --git a/includes/functions.php b/includes/functions.php
index 1f7047b67..452438c8c 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -2147,6 +2147,12 @@ function generateblocks_with_escaped_attributes( $content, $args = [] ) {
 	$tags_processed = 0;
 
 	while ( $processor->next_tag() && $tags_processed < $max_tags ) {
+		$tag = $processor->get_tag();
+
+		if ( 'STYLE' === $tag ) {
+			continue;
+		}
+
 		foreach ( $processor->get_attribute_names_with_prefix( '' ) as $name ) {
 			$attribute_value = $processor->get_attribute( $name );
 			$escaped_value   = generateblocks_get_escaped_html_attribute( $name, $attribute_value );
@@ -2164,3 +2170,21 @@ function generateblocks_with_escaped_attributes( $content, $args = [] ) {
 
 	return $content;
 }
+
+/**
+ * Get a list of our v1 block names.
+ *
+ * @since 2.0.0
+ * @return array The block names.
+ */
+function generateblocks_get_v1_block_names() {
+	return [
+		'generateblocks/button-container',
+		'generateblocks/button',
+		'generateblocks/container',
+		'generateblocks/grid',
+		'generateblocks/headline',
+		'generateblocks/image',
+		'generateblocks/query-loop',
+	];
+}
diff --git a/includes/general.php b/includes/general.php
index 1f4fd3c36..83884e33e 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -681,3 +681,41 @@ function generateblocks_admin_head_scripts() {
 		$permission_object // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	);
 }
+
+add_filter( 'render_block', 'generateblocks_do_html_attributes_escaping', 20, 2 );
+/**
+ * Filter the rendered block content and escape HTML attributes.
+ *
+ * @param string $content The block content about to be appended to the post content.
+ * @param array  $block    The full block, including name and attributes.
+ * @return string
+ */
+function generateblocks_do_html_attributes_escaping( $content, $block ) {
+	$html_attributes = $block['attrs']['htmlAttributes'] ?? [];
+	$link_attributes = $block['attrs']['linkHtmlAttributes'] ?? [];
+
+	if ( empty( $html_attributes ) && empty( $link_attributes ) ) {
+		return $content;
+	}
+
+	$v1_block_names  = generateblocks_get_v1_block_names();
+	$block_name      = $block['blockName'] ?? '';
+
+	// Only do this for our non-v1 blocks.
+	if (
+		! generateblocks_str_starts_with( $block_name, 'generateblocks' ) ||
+		in_array( $block_name, $v1_block_names, true )
+	) {
+		return $content;
+	}
+
+	$content = generateblocks_with_escaped_attributes(
+		$content,
+		[
+			'block_html_attrs' => $html_attributes,
+			'link_html_attrs'  => $link_attributes,
+		]
+	);
+
+	return $content;
+}