Add metadata support for single-root patterns in resolve_pattern_blocks function

Enhances the `resolve_pattern_blocks` function to include additional metadata attributes such as `description` and `categories` for single-root patterns. Updates unit tests to validate the new functionality, including sanitization of potentially harmful characters in pattern attributes.

Author: ramonjd

src/wp-includes/blocks.php

@@ -1844,6 +1844,7 @@ function traverse_and_serialize_block( $block, $pre_callback = null, $post_callb
  * Replaces patterns in a block tree with their content.
  *
  * @since 6.6.0
+ * @since n.e.x.t Adds metadata to attributes of single-pattern container blocks.
  *
  * @param array $blocks An array blocks.
  *
@@ -1884,10 +1885,23 @@ function resolve_pattern_blocks( $blocks ) {
 
 			// For single-root patterns, add the pattern name to make this a pattern instance in the editor.
 			if ( count( $blocks_to_insert ) === 1 ) {
-				$blocks_to_insert[0]['attrs']['metadata'] = array(
+				$metadata = array(
 					'patternName' => $slug,
-					'name'        => $pattern['title'],
 				);
+
+				if ( ! empty( $pattern['title'] ) ) {
+					$metadata['name'] = sanitize_text_field( $pattern['title'] );
+				}
+
+				if ( ! empty( $pattern['description'] ) ) {
+					$metadata['description'] = sanitize_text_field( $pattern['description'] );
+				}
+
+				if ( ! empty( $pattern['categories'] ) && is_array( $pattern['categories'] ) ) {
+					$metadata['categories'] = array_map( 'sanitize_text_field', $pattern['categories'] );
+				}
+
+				$blocks_to_insert[0]['attrs']['metadata'] = $metadata;
 			}
 
 			$seen_refs[ $slug ] = true;

tests/phpunit/tests/blocks/resolvePatternBlocks.php

@@ -36,6 +36,22 @@ public function set_up() {
 				'title'       => 'Single Root Pattern',
 				'content'     => '<!-- wp:paragraph -->Single root content<!-- /wp:paragraph -->',
 				'description' => 'A single root pattern.',
+				'categories'  => array( 'text' ),
+			)
+		);
+		register_block_pattern(
+			'core/single-root-with-forbidden-chars-in-attrs',
+			array(
+				'title'       => 'Single Root Pattern<script>alert("XSS")</script>',
+				'content'     => '<!-- wp:paragraph -->Single root content<!-- /wp:paragraph -->',
+				'description' => 'A single root pattern.<script>alert("XSS")</script><img src=x onerror=alert(1)>',
+				'categories'  => array(
+					'text<script>alert("XSS")</script>',
+					'bad\'); DROP TABLE wp_posts;--',
+					'<img src=x onerror=alert(1)>',
+					"evil\x00null\nbyte",
+					'category with <strong>html</strong> tags',
+				),
 			)
 		);
 		register_block_pattern(
@@ -52,6 +68,7 @@ public function set_up() {
 				'title'       => 'Nested Pattern',
 				'content'     => '<!-- wp:group --><!-- wp:paragraph -->Nested content<!-- /wp:paragraph --><!-- wp:pattern {"slug":"core/single-root"} /--><!-- /wp:group -->',
 				'description' => 'A nested single root pattern.',
+				'categories'  => array( 'featured' ),
 			)
 		);
 	}
@@ -60,7 +77,9 @@ public function tear_down() {
 		unregister_block_pattern( 'core/test' );
 		unregister_block_pattern( 'core/recursive' );
 		unregister_block_pattern( 'core/single-root' );
+		unregister_block_pattern( 'core/single-root-with-forbidden-chars-in-attrs' );
 		unregister_block_pattern( 'core/with-attrs' );
+		unregister_block_pattern( 'core/nested-single' );
 		parent::tear_down();
 	}
 
@@ -85,19 +104,45 @@ public function test_should_resolve_pattern_blocks_as_expected( $blocks, $expect
 	public function data_should_resolve_pattern_blocks_as_expected() {
 		return array(
 			// Works without attributes, leaves the block as is.
-			'pattern with no slug attribute' => array( '<!-- wp:pattern /-->', '<!-- wp:pattern /-->' ),
+			'pattern with no slug attribute' => array(
+				'<!-- wp:pattern /-->',
+				'<!-- wp:pattern /-->',
+			),
 			// Resolves the pattern.
-			'test pattern'                   => array( '<!-- wp:pattern {"slug":"core/test"} /-->', '<!-- wp:paragraph -->Hello<!-- /wp:paragraph --><!-- wp:paragraph -->World<!-- /wp:paragraph -->' ),
+			'test pattern'                   => array(
+				'<!-- wp:pattern {"slug":"core/test"} /-->',
+				'<!-- wp:paragraph -->Hello<!-- /wp:paragraph --><!-- wp:paragraph -->World<!-- /wp:paragraph -->',
+			),
 			// Skips recursive patterns.
-			'recursive pattern'              => array( '<!-- wp:pattern {"slug":"core/recursive"} /-->', '<!-- wp:paragraph -->Recursive<!-- /wp:paragraph -->' ),
+			'recursive pattern'              => array(
+				'<!-- wp:pattern {"slug":"core/recursive"} /-->',
+				'<!-- wp:paragraph -->Recursive<!-- /wp:paragraph -->',
+			),
 			// Resolves the pattern within a block.
-			'pattern within a block'         => array( '<!-- wp:group --><!-- wp:paragraph -->Before<!-- /wp:paragraph --><!-- wp:pattern {"slug":"core/test"} /--><!-- wp:paragraph -->After<!-- /wp:paragraph --><!-- /wp:group -->', '<!-- wp:group --><!-- wp:paragraph -->Before<!-- /wp:paragraph --><!-- wp:paragraph -->Hello<!-- /wp:paragraph --><!-- wp:paragraph -->World<!-- /wp:paragraph --><!-- wp:paragraph -->After<!-- /wp:paragraph --><!-- /wp:group -->' ),
+			'pattern within a block'         => array(
+				'<!-- wp:group --><!-- wp:paragraph -->Before<!-- /wp:paragraph --><!-- wp:pattern {"slug":"core/test"} /--><!-- wp:paragraph -->After<!-- /wp:paragraph --><!-- /wp:group -->',
+				'<!-- wp:group --><!-- wp:paragraph -->Before<!-- /wp:paragraph --><!-- wp:paragraph -->Hello<!-- /wp:paragraph --><!-- wp:paragraph -->World<!-- /wp:paragraph --><!-- wp:paragraph -->After<!-- /wp:paragraph --><!-- /wp:group -->',
+			),
 			// Resolves the single-root pattern and adds metadata.
-			'single-root pattern'            => array( '<!-- wp:pattern {"slug":"core/single-root"} /-->', '<!-- wp:paragraph {"metadata":{"patternName":"core/single-root","name":"Single Root Pattern"}} -->Single root content<!-- /wp:paragraph -->' ),
+			'single-root pattern'            => array(
+				'<!-- wp:pattern {"slug":"core/single-root"} /-->',
+				'<!-- wp:paragraph {"metadata":{"patternName":"core/single-root","name":"Single Root Pattern","description":"A single root pattern.","categories":["text"]}} -->Single root content<!-- /wp:paragraph -->',
+			),
 			// Existing attributes are preserved when adding metadata.
-			'existing attributes preserved'  => array( '<!-- wp:pattern {"slug":"core/with-attrs"} /-->', '<!-- wp:paragraph {"className":"custom-class","metadata":{"patternName":"core/with-attrs","name":"Pattern With Attrs"}} -->Content<!-- /wp:paragraph -->' ),
+			'existing attributes preserved'  => array(
+				'<!-- wp:pattern {"slug":"core/with-attrs"} /-->',
+				'<!-- wp:paragraph {"className":"custom-class","metadata":{"patternName":"core/with-attrs","name":"Pattern With Attrs","description":"A pattern with existing attributes."}} -->Content<!-- /wp:paragraph -->',
+			),
 			// Resolves the nested single-root pattern and adds metadata.
-			'nested single-root pattern'     => array( '<!-- wp:pattern {"slug":"core/nested-single"} /-->', '<!-- wp:group {"metadata":{"patternName":"core/nested-single","name":"Nested Pattern"}} --><!-- wp:paragraph -->Nested content<!-- /wp:paragraph --><!-- wp:paragraph {"metadata":{"patternName":"core/single-root","name":"Single Root Pattern"}} -->Single root content<!-- /wp:paragraph --><!-- /wp:group -->' ),
+			'nested single-root pattern'     => array(
+				'<!-- wp:pattern {"slug":"core/nested-single"} /-->',
+				'<!-- wp:group {"metadata":{"patternName":"core/nested-single","name":"Nested Pattern","description":"A nested single root pattern.","categories":["featured"]}} --><!-- wp:paragraph -->Nested content<!-- /wp:paragraph --><!-- wp:paragraph {"metadata":{"patternName":"core/single-root","name":"Single Root Pattern","description":"A single root pattern.","categories":["text"]}} -->Single root content<!-- /wp:paragraph --><!-- /wp:group -->',
+			),
+			// Sanitizes fields.
+			'sanitized pattern attrs'        => array(
+				'<!-- wp:pattern {"slug":"core/single-root-with-forbidden-chars-in-attrs"} /-->',
+				'<!-- wp:paragraph {"metadata":{"patternName":"core/single-root-with-forbidden-chars-in-attrs","name":"Single Root Pattern","description":"A single root pattern.","categories":["text","bad\'); DROP TABLE wp_posts;\u002d\u002d","","evil\u0000null byte","category with html tags"]}} -->Single root content<!-- /wp:paragraph -->',
+			),
 		);
 	}
 }