Escape output from shared block before display

Author: petitphp

includes/Blocks/SharedBlock.php

@@ -126,7 +126,16 @@ function () use ( $block_support_styles ) {
 				);
 			}
 
-			return $block_data['html'];
+			/**
+			 * Ensure Shared block output only contain allowed HTML tags and attributes.
+			 *
+			 * Since the shortcodes and embed from the original source have already been processed, we temporarily allow
+			 * the `iframe` tag in the output.
+			 */
+			add_filter( 'wp_kses_allowed_html', [ Helpers::class, 'kses_post_iframe_tag' ], 10, 2 );
+			$html = wp_kses_post( $block_data['html'] );
+			remove_filter( 'wp_kses_allowed_html', [ Helpers::class, 'kses_post_iframe_tag' ] );
+			return $html;
 		}
 
 		// When displaying excerpt content, prepare excerpt content and return the custom view.

includes/Helpers.php

@@ -226,4 +226,29 @@ public static function validate_shared_block_preview_request( string $request_to
 
 		return hash_equals( $token, $request_token );
 	}
+
+	/**
+	 * Add iframe tag to the list of allowed tags when using kses with the `post` context.
+	 *
+	 * @param array $tags List of allowed tags and attributes.
+	 * @param string $context Context name.
+	 *
+	 * @return array List of allowed tags and attributes.
+	 */
+	public static function kses_post_iframe_tag( $tags, $context ) {
+		if ( 'post' === $context ) {
+			$tags['iframe'] = [
+				'src'             => true,
+				'height'          => true,
+				'width'           => true,
+				'title'           => true,
+				'allow'           => true,
+				'loading'         => true,
+				'frameborder'     => true,
+				'allowfullscreen' => true,
+			];
+		}
+
+		return $tags;
+	}
 }

views/preview.php

@@ -10,6 +10,9 @@
 if ( ! defined( 'ABSPATH' ) ) {
 	die( '-1' );
 }
+
+use Beapi\MultisiteSharedBlocks\Helpers;
+
 ?>
 <!DOCTYPE html>
 <html>
@@ -33,8 +36,15 @@
 		$output .= render_block( $block );
 	}
 
-	echo $output; //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-	wp_footer();
+	/**
+	 * Ensure Shared block output only contain allowed HTML tags and attributes.
+	 *
+	 * Since the shortcodes and embed from the original source have already been processed, we temporarily allow
+	 * the `iframe` tag in the output.
+	 */
+	add_filter( 'wp_kses_allowed_html', [ Helpers::class, 'kses_post_iframe_tag' ], 10, 2 );
+	echo wp_kses_post( $output );
+	remove_filter( 'wp_kses_allowed_html', [ Helpers::class, 'kses_post_iframe_tag' ] );
 	?>
 </body>
 </html>