From ec05c8b897ef4ae77fc0cba576573e90a726a52f Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Wed, 29 Apr 2020 15:32:19 +0000
Subject: [PATCH] Block Editor: Coding standards, properly escape class names.

Props: aduth, noisysocks, pento, talldanwp, jorgefilipecosta, whyisjake, ellatrix, ehti.


git-svn-id: https://develop.svn.wordpress.org/trunk@47636 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/blocks/rss.php    | 2 +-
 src/wp-includes/blocks/search.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/blocks/rss.php b/src/wp-includes/blocks/rss.php
index 0315cfc013..07ddb3d007 100644
--- a/src/wp-includes/blocks/rss.php
+++ b/src/wp-includes/blocks/rss.php
@@ -92,7 +92,7 @@ function render_block_core_rss( $attributes ) {
 		$class .= ' ' . $attributes['className'];
 	}
 
-	return "<ul class='{$class}'>{$list_items}</ul>";
+	return sprintf( "<ul class='%s'>%s</ul>", esc_attr( $class ), $list_items );
 }
 
 /**
diff --git a/src/wp-includes/blocks/search.php b/src/wp-includes/blocks/search.php
index 5face0b929..a140caf0e0 100644
--- a/src/wp-includes/blocks/search.php
+++ b/src/wp-includes/blocks/search.php
@@ -57,7 +57,7 @@ function render_block_core_search( $attributes ) {
 
 	return sprintf(
 		'<form class="%s" role="search" method="get" action="%s">%s</form>',
-		$class,
+		esc_attr( $class ),
 		esc_url( home_url( '/' ) ),
 		$label_markup . $input_markup . $button_markup
 	);