Add escaping to wp-text

phpunit/directives/attributes/wp-text.php

@@ -17,17 +17,17 @@
  * @covers process_wp_text
  */
 class Tests_Directives_WpText extends WP_UnitTestCase {
-	public function test_directive_sets_inner_html_based_on_attribute_value() {
+	public function test_directive_sets_inner_html_based_on_attribute_value_and_escapes_html() {
 		$markup = '<div wp-text="context.myblock.someText"></div>';
 
 		$tags = new WP_Directive_Processor( $markup );
 		$tags->next_tag();
 
-		$context_before = new WP_Directive_Context( array( 'myblock' => array( 'someText' => 'Lorem ipsum dolor sit.' ) ) );
+		$context_before = new WP_Directive_Context( array( 'myblock' => array( 'someText' => 'The HTML tag <br> produces a line break.' ) ) );
 		$context        = clone $context_before;
 		process_wp_text( $tags, $context );
 
-		$expected_markup = '<div wp-text="context.myblock.someText">Lorem ipsum dolor sit.</div>';
+		$expected_markup = '<div wp-text="context.myblock.someText">The HTML tag &lt;br&gt; produces a line break.</div>';
 		$this->assertSame( $expected_markup, $tags->get_updated_html() );
 		$this->assertSame( $context_before->get_context(), $context->get_context(), 'wp-text directive changed context' );
 	}

src/directives/attributes/wp-text.php

@@ -13,5 +13,5 @@ function process_wp_text( $tags, $context ) {
 	}
 
 	$text = evaluate( $value, $context->get_context() );
-	$tags->set_inner_html( $text );
+	$tags->set_inner_html( esc_html( $text ) );
 }