[wp-trac] [WordPress Trac] #65396: Blocks: Add missing esc_url() to href output in post-author-name and post-date block renderers
WordPress Trac
noreply at wordpress.org
Tue Jun 2 22:59:26 UTC 2026
#65396: Blocks: Add missing esc_url() to href output in post-author-name and post-
date block renderers
--------------------------+-------------------------------------
Reporter: thisismyurl | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: trunk
Severity: normal | Keywords: has-patch needs-testing
Focuses: |
--------------------------+-------------------------------------
The `post-author-name` and `post-date` block render functions output URLs
directly into `href` attributes without `esc_url()`.
`post-author-name.php` line 35: `get_author_posts_url()` is passed raw
into
the sprintf href placeholder.
`post-date.php` line 87: `get_the_permalink()` is passed raw into the
sprintf
href placeholder. This line also uses `%1s`/`%2s` format specifiers
instead of
the positional `%1$s`/`%2$s` used consistently in all sibling block
renderers.
Both sibling files (`post-author.php`, `comment-author-name.php`, `post-
title.php`)
wrap their href values with `esc_url()`. These two files were missed.
Fix: wrap `get_author_posts_url()` and `get_the_permalink()` with
`esc_url()` in
both files, and update the format specifiers in `post-date.php` for
consistency.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65396>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list