sanitize blocks

kaeizen · kaeizen · commit e563abb67544 · 2025-09-10T16:16:00.000+08:00
diff --git a/.config/externals.js b/.config/externals.js
@@ -42,7 +42,8 @@ const wpExternals = [
 	'keyboard-shortcuts',
 	'token-list',
 	'keycodes',
-	'escape-html'
+	'escape-html',
+	'dom'
 ].reduce( ( externals, name ) => ( {
 	...externals,
 	[ `@wordpress/${ name }` ]: `wp.${ camelCaseDash( name ) }`,
diff --git a/src/components/design-library-list/design-preview.js b/src/components/design-library-list/design-preview.js
@@ -5,6 +5,7 @@ import {
 	useEffect, createPortal, useRef,
 } from '@wordpress/element'
 import { applyFilters } from '@wordpress/hooks'
+import { safeHTML } from '@wordpress/dom'
 
 const NOOP = () => {}
 
@@ -88,7 +89,7 @@ export const DesignPreview = ( {
 			className={ shadowBodyClasses }
 		>
 			<div
-				dangerouslySetInnerHTML={ { __html: blocks } }
+				dangerouslySetInnerHTML={ { __html: safeHTML( blocks ) } }
 				style={ { pointerEvents: 'none' } }	// prevent blocks from being clicked
 			/>
 		</body>
