From 93097d66067e89db46627ba6cf03815ff4ded198 Mon Sep 17 00:00:00 2001
From: Evan Herman <evan.m.herman@gmail.com>
Date: Thu, 25 Jul 2024 11:51:48 -0400
Subject: [PATCH] Escape the HTML in the editor of the posts and post carousel
 blocks

---
 package.json                          | 1 +
 src/blocks/post-carousel/post-item.js | 3 ++-
 src/blocks/posts/edit.js              | 5 +++--
 yarn.lock                             | 7 +++++++
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 5aed1d7d896..d3abbc6a5e8 100644
--- a/package.json
+++ b/package.json
@@ -119,6 +119,7 @@
 		"@wordpress/editor": "^13.21.0",
 		"@wordpress/element": "^5.21.0",
 		"@wordpress/env": "^10.1.0",
+		"@wordpress/escape-html": "^3.4.0",
 		"@wordpress/eslint-plugin": "^17.1.0",
 		"@wordpress/hooks": "^3.44.0",
 		"@wordpress/i18n": "^4.44.0",
diff --git a/src/blocks/post-carousel/post-item.js b/src/blocks/post-carousel/post-item.js
index 4e7cee920dc..aeca2fe43c8 100644
--- a/src/blocks/post-carousel/post-item.js
+++ b/src/blocks/post-carousel/post-item.js
@@ -13,6 +13,7 @@ import {
 } from '@wordpress/components';
 import { PlainText } from '@wordpress/block-editor';
 import { RawHTML } from '@wordpress/element';
+import { escapeHTML } from '@wordpress/escape-html';
 import { withSelect } from '@wordpress/data';
 // Disable reason: We choose to use unsafe APIs in our codebase.
 // eslint-disable-next-line @wordpress/no-unsafe-wp-apis
@@ -78,7 +79,7 @@ const PostItem = ( {
 					<RawHTML
 						key="html"
 					>
-						{ excerpt.trim().split( ' ', excerptLength ).join( ' ' ) }
+						{ escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) }
 					</RawHTML>
 				</div>
 				}
diff --git a/src/blocks/posts/edit.js b/src/blocks/posts/edit.js
index 9ba6c6dcafa..abf08c9691e 100755
--- a/src/blocks/posts/edit.js
+++ b/src/blocks/posts/edit.js
@@ -13,6 +13,7 @@ import apiFetch from '@wordpress/api-fetch';
 import { __ } from '@wordpress/i18n';
 import { compose, usePrevious } from '@wordpress/compose';
 import { lazy, RawHTML, useState, useEffect, useRef } from '@wordpress/element';
+import { escapeHTML } from '@wordpress/escape-html';
 import { addQueryArgs } from '@wordpress/url';
 // Disable reason: We choose to use unsafe APIs in our codebase.
 // eslint-disable-next-line @wordpress/no-unsafe-wp-apis
@@ -435,8 +436,8 @@ const PostsEdit = ( props ) => {
 														key="html"
 													>
 														{ excerptLength < excerpt.trim().split( ' ' ).length
-															? excerpt.trim().split( ' ', excerptLength ).join( ' ' ) + '…'
-															: excerpt.trim().split( ' ', excerptLength ).join( ' ' ) }
+															? escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) + '…'
+															: escapeHTML( excerpt.trim().split( ' ', excerptLength ).join( ' ' ) ) }
 													</RawHTML>
 												</div>
 											}
diff --git a/yarn.lock b/yarn.lock
index 678525c1eca..de8e133b53b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4172,6 +4172,13 @@
   dependencies:
     "@babel/runtime" "^7.16.0"
 
+"@wordpress/escape-html@^3.4.0":
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/@wordpress/escape-html/-/escape-html-3.4.0.tgz#ec625d409b018ff68d6081c66586fd420f74e122"
+  integrity sha512-KcUv+s0J/LEZEEvd+E3IkNCeW8wde0TjO+1HrcfvqI8Rfuc0zOAZeS/6ZqIeX0m/mhQ0xS2Y3e8hsnU+wAG6Mw==
+  dependencies:
+    "@babel/runtime" "^7.16.0"
+
 "@wordpress/eslint-plugin@^12.7.0":
   version "12.9.0"
   resolved "https://registry.yarnpkg.com/@wordpress/eslint-plugin/-/eslint-plugin-12.9.0.tgz#c49f0a523c8c72ade28c2b86a975668832b22938"