Skip to content

Fix Page List block button HTML rendering to escape at output #73641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
getdave merged 1 commit into from
Nov 28, 2025
Merged

Fix Page List block button HTML rendering to escape at output #73641

getdave merged 1 commit into from
Nov 28, 2025

Conversation

@getdave
Copy link
Contributor

@getdave getdave commented Nov 28, 2025
edited
Loading

What

This is a follow-up to #73614. Fixes inconsistency in the Page List block frontend rendering where buttons were escaping HTML (showing raw markup) while links rendered HTML correctly. Both buttons and links now render HTML formatting consistently.

Why

After #73614 fixed the editor rendering, there remained an inconsistency in the frontend PHP code:

  • Buttons used esc_html( $title ) which escaped HTML, showing raw markup
  • Links output $title directly (after early sanitization), rendering HTML correctly

Additionally, the code was sanitizing early (using wp_kses_post() on line 195) rather than at the point of output, which reduces resilience and clarity.

How

  • Removed early sanitization of $title variable
  • Applied wp_kses_post() at the point of output for both buttons (line 206) and links (line 209)
  • This ensures HTML is sanitized just before rendering, making the code more resilient to accidental variable modification and clearer to review

Escaping at the point of output is preferred because:

  • It's more resilient: if the variable is accidentally modified before output, it's still properly sanitized
  • It's clearer: reviewers can immediately see that output is sanitized without tracing through the code
  • It's more maintainable: future code changes are less likely to introduce security issues

Testing Instructions

  1. Create a page with HTML in the title (e.g., <strong>Bold Title</strong>)
  2. Insert a Page List block in a Navigation block with openSubmenusOnClick enabled
  3. Verify the button displays with formatting rendered (bold text, not raw <strong> tags)
  4. Verify links also display with formatting rendered
  5. Compare with editor preview to ensure they match

@getdave
Fix Page List block button HTML rendering to escape at output
812e954 
Updates the frontend PHP rendering to escape HTML at the point of output
instead of early sanitization, ensuring consistency between button and
link rendering and following WordPress security best practices.
@getdave getdave self-assigned this Nov 28, 2025
@getdave getdave added [Type] Bug An existing feature does not function as intended [Block] Page List Affects the Page List Block labels Nov 28, 2025
@getdave getdave marked this pull request as ready for review November 28, 2025 08:50
@github-actions
Copy link

github-actions bot commented Nov 28, 2025
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: getdave <[email protected]>
Co-authored-by: mikachan <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@getdave getdave mentioned this pull request Nov 28, 2025
Merged
mikachan
mikachan approved these changes Nov 28, 2025
View reviewed changes
Copy link
Member

@mikachan mikachan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests well and LGTM!

@getdave getdave merged commit b0aff2d into trunk Nov 28, 2025
45 of 47 checks passed
@getdave getdave deleted the fix/page-list-button-html-escape-late branch November 28, 2025 16:09
@github-actions github-actions bot added this to the Gutenberg 22.3 milestone Nov 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikachan mikachan mikachan approved these changes

@scruffian scruffian Awaiting requested review from scruffian

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

@fabiankaegy fabiankaegy Awaiting requested review from fabiankaegy fabiankaegy is a code owner

Assignees

@getdave getdave

Labels

[Block] Page List Affects the Page List Block [Type] Bug An existing feature does not function as intended

Projects

None yet

Milestone

Gutenberg 22.3

Development

Successfully merging this pull request may close these issues.

3 participants

@getdave @mikachan