fix: escape title output to prevent XSS

Arukuen · Arukuen · commit 6da2f001934f · 2026-01-05T11:07:45.000+08:00
diff --git a/src/block/posts/index.php b/src/block/posts/index.php
@@ -58,6 +58,10 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t
 			if ( empty( $title ) ) {
 				$title = __( '(Untitled)', STACKABLE_I18N );
 			}
+
+			// Escape title output to prevent XSS
+			$title = esc_html( $title );
+
 			$new_template = str_replace( '!#title!#', $title, $new_template );
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,10 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t`
`58`	`58`	`if ( empty( $title ) ) {`
`59`	`59`	`$title = __( '(Untitled)', STACKABLE_I18N );`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+ // Escape title output to prevent XSS`
	`63`	`+ $title = esc_html( $title );`
	`64`	`+`
`61`	`65`	`$new_template = str_replace( '!#title!#', $title, $new_template );`
`62`	`66`	`}`
`63`	`67`