From 46cd05ac852f012192b7bf7b15425ca6d2a603fb Mon Sep 17 00:00:00 2001 From: tellthemachines Date: Tue, 9 Apr 2024 15:46:18 +1000 Subject: [PATCH] Fully escape the display names of users and commenters in the Avatar block. (#60579) Co-authored-by: johnbillion Co-authored-by: andrewserong --- packages/block-library/src/avatar/index.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/block-library/src/avatar/index.php b/packages/block-library/src/avatar/index.php index b2f8ecace75a69..cc86052af4abe2 100644 --- a/packages/block-library/src/avatar/index.php +++ b/packages/block-library/src/avatar/index.php @@ -62,7 +62,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s author archive, opens in a new tab)' ), $author_name ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s author archive, opens in a new tab)' ), $author_name ) ) . '"'; } // translators: %1$s: Author archive link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', esc_url( get_author_posts_url( $author_id ) ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block ); @@ -89,7 +89,7 @@ function render_block_core_avatar( $attributes, $content, $block ) { $label = ''; if ( '_blank' === $attributes['linkTarget'] ) { // translators: %s is the Comment Author name. - $label = 'aria-label="' . sprintf( esc_attr__( '(%s website link, opens in a new tab)' ), $comment->comment_author ) . '"'; + $label = 'aria-label="' . esc_attr( sprintf( __( '(%s website link, opens in a new tab)' ), $comment->comment_author ) ) . '"'; } // translators: %1$s: Comment Author website link. %2$s: Link target. %3$s Aria label. %4$s Avatar image. $avatar_block = sprintf( '%4$s', esc_url( $comment->comment_author_url ), esc_attr( $attributes['linkTarget'] ), $label, $avatar_block );