From 29ec9e0261c1c915bb75db4c4679f91225f685d1 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 16:32:41 +0000
Subject: [PATCH] Late escape Table of Contents block (#37882)

* First pass

* Add additional escape of page url
---
 packages/block-library/src/table-of-contents/index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/block-library/src/table-of-contents/index.php b/packages/block-library/src/table-of-contents/index.php
index a957b5d4bc3a1a..6408bb53c0175d 100644
--- a/packages/block-library/src/table-of-contents/index.php
+++ b/packages/block-library/src/table-of-contents/index.php
@@ -261,14 +261,14 @@ function ( $child_node ) use ( $entry_class, $page_url ) {
 
 				$entry = sprintf(
 					'<a class="%1$s" href="%2$s">%3$s</a>',
-					$entry_class,
+					esc_attr( $entry_class ),
 					esc_url( $href ),
 					esc_html( $content )
 				);
 			} else {
 				$entry = sprintf(
 					'<span class="%1$s">%2$s</span>',
-					$entry_class,
+					esc_attr( $entry_class ),
 					esc_html( $content )
 				);
 			}
@@ -279,7 +279,7 @@ function ( $child_node ) use ( $entry_class, $page_url ) {
 				$child_node['children']
 					? block_core_table_of_contents_render_list(
 						$child_node['children'],
-						$page_url
+						esc_url( $page_url )
 					)
 					: null
 			);