Late escape Table of Contents block (#37882)

* First pass

* Add additional escape of page url

packages/block-library/src/table-of-contents/index.php

@@ -261,14 +261,14 @@ function ( $child_node ) use ( $entry_class, $page_url ) {
 
 				$entry = sprintf(
 					'<a class="%1$s" href="%2$s">%3$s</a>',
-					$entry_class,
+					esc_attr( $entry_class ),
 					esc_url( $href ),
 					esc_html( $content )
 				);
 			} else {
 				$entry = sprintf(
 					'<span class="%1$s">%2$s</span>',
-					$entry_class,
+					esc_attr( $entry_class ),
 					esc_html( $content )
 				);
 			}
@@ -279,7 +279,7 @@ function ( $child_node ) use ( $entry_class, $page_url ) {
 				$child_node['children']
 					? block_core_table_of_contents_render_list(
 						$child_node['children'],
-						$page_url
+						esc_url( $page_url )
 					)
 					: null
 			);