Fix Card blocks displaying raw HTML for meta text

georgeolaru · claude · georgeolaru · commit f716ba6639fb · 2026-02-11T21:32:23.000+02:00
The security escaping in 2.1.10 (commit a4f1895) applied esc_html() in novablocks_get_card_item_meta() which receives pre-built HTML from dynamic post cards. This escaped the internal <span> wrapper tags, displaying them as visible text instead of rendering them. Fix: escape text values at source in novablocks_get_post_card_meta(), escape static card attributes at call site, and use wp_kses_post() in the shared function to allow internally-generated HTML structure. Fixes #477 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/lib/block-rendering.php b/lib/block-rendering.php
@@ -1493,10 +1493,10 @@ function novablocks_get_card_contents( array $attributes ): string {
 
 	$output = '';
 
-	$output .= novablocks_get_card_item_meta( $attributes['metaAboveTitle'], $attributes );
+	$output .= novablocks_get_card_item_meta( esc_html( $attributes['metaAboveTitle'] ), $attributes );
 	$output .= novablocks_get_card_item_title( $attributes['title'], $attributes );
 	$output .= novablocks_get_card_item_subtitle( $attributes['subtitle'], $attributes );
-	$output .= novablocks_get_card_item_meta( $attributes['metaBelowTitle'], $attributes );
+	$output .= novablocks_get_card_item_meta( esc_html( $attributes['metaBelowTitle'] ), $attributes );
 	$output .= novablocks_get_card_item_description( $attributes['description'], $attributes );
 	$output .= novablocks_get_card_item_buttons( [
 		[
@@ -1514,7 +1514,7 @@ function novablocks_get_card_item_meta( $metaValue, array $attributes ): string
 		return '';
 	}
 
-	return '<p class="nb-card__meta is-style-meta">' . esc_html( $metaValue ) . '</p>';
+	return '<p class="nb-card__meta is-style-meta">' . wp_kses_post( $metaValue ) . '</p>';
 }
 
 function novablocks_get_card_item_title( string $title, array $attributes, $post = null ): string {
@@ -1741,7 +1741,7 @@ function novablocks_get_post_card_contents( $post, $attributes ): string {
 function novablocks_get_post_card_meta( $post, $meta ) {
 
 	if ( $meta === 'author' ) {
-		return get_the_author_meta( 'display_name', $post->post_author );
+		return esc_html( get_the_author_meta( 'display_name', $post->post_author ) );
 	}
 
 	if ( $meta === 'category' ) {
@@ -1769,7 +1769,7 @@ function novablocks_get_post_card_meta( $post, $meta ) {
 
 		if ( ! empty( $categories ) && ! is_wp_error( $categories ) ) {
 			// Return only the first one.
-			return $categories[0]->name;
+			return esc_html( $categories[0]->name );
 		} else {
 			return '';
 		}
@@ -1827,15 +1827,15 @@ function novablocks_get_post_card_meta( $post, $meta ) {
 		if ( ! empty( $tags ) && ! is_wp_error( $tags ) ) {
 			$tag_names = array_map( 'novablocks_get_tag_name', $tags );
 
-			return join( ', ', $tag_names );
+			return esc_html( join( ', ', $tag_names ) );
 		} else {
 			return '';
 		}
 	}
 
 	if ( $meta == 'reading-time' ) {
 		/* translators: %s: The post reading time in minutes. */
-		return sprintf( __( '%s min read', '__plugin_txtd' ), novablocks_get_post_reading_time_in_minutes( $post ) );
+		return esc_html( sprintf( __( '%s min read', '__plugin_txtd' ), novablocks_get_post_reading_time_in_minutes( $post ) ) );
 	}
 
 	return '';
diff --git a/nova-blocks.php b/nova-blocks.php
@@ -3,7 +3,7 @@
  * Plugin Name: Nova Blocks
  * Plugin URI: https://github.com/pixelgrade/nova-blocks/
  * Description: Nova Blocks is a collection of <strong>distinctive Gutenberg blocks</strong>, committed to making your site shine like a newborn star. It is taking a design-driven approach to help you made the right decisions and showcase your content in the best shape.
- * Version: 2.1.10
+ * Version: 2.1.11
  * Author: Pixelgrade
  * Author URI: https://www.pixelgrade.com
  * License: GPLv2 or later
diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: pixelgrade, vlad.olaru, babbardel, razvanonofrei, gorby31
 Tags: blocks, editor, gutenberg, gutenberg blocks, page builder, block enabled, page building, full site editing, site editor, posts collection
 Requires at least: 5.9
 Tested up to: 6.9.1
-Stable tag: 2.1.10
+Stable tag: 2.1.11
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -94,6 +94,9 @@ Yes! Nova Block's core features are free to use.
 
 == Changelog ==
 
+= 2.1.11 =
+* Fix: Card blocks displaying raw HTML span tags for category/author/tag meta text (regression from 2.1.10 security escaping).
+
 = 2.1.10 =
 * Security: Fixed Stored XSS in Separator block (CVE-2026-24528).
 * Security: Fixed Object Injection via unserialize() in author-box block.

Original file line number	Diff line number	Diff line change
`@@ -1493,10 +1493,10 @@ function novablocks_get_card_contents( array $attributes ): string {`
`1493`	`1493`
`1494`	`1494`	`$output = '';`
`1495`	`1495`
`1496`		`- $output .= novablocks_get_card_item_meta( $attributes['metaAboveTitle'], $attributes );`
	`1496`	`+ $output .= novablocks_get_card_item_meta( esc_html( $attributes['metaAboveTitle'] ), $attributes );`
`1497`	`1497`	`$output .= novablocks_get_card_item_title( $attributes['title'], $attributes );`
`1498`	`1498`	`$output .= novablocks_get_card_item_subtitle( $attributes['subtitle'], $attributes );`
`1499`		`- $output .= novablocks_get_card_item_meta( $attributes['metaBelowTitle'], $attributes );`
	`1499`	`+ $output .= novablocks_get_card_item_meta( esc_html( $attributes['metaBelowTitle'] ), $attributes );`
`1500`	`1500`	`$output .= novablocks_get_card_item_description( $attributes['description'], $attributes );`
`1501`	`1501`	`$output .= novablocks_get_card_item_buttons( [`
`1502`	`1502`	`[`
`@@ -1514,7 +1514,7 @@ function novablocks_get_card_item_meta( $metaValue, array $attributes ): string`
`1514`	`1514`	`return '';`
`1515`	`1515`	`}`
`1516`	`1516`
`1517`		`- return '<p class="nb-card__meta is-style-meta">' . esc_html( $metaValue ) . '</p>';`
	`1517`	`+ return '<p class="nb-card__meta is-style-meta">' . wp_kses_post( $metaValue ) . '</p>';`
`1518`	`1518`	`}`
`1519`	`1519`
`1520`	`1520`	`function novablocks_get_card_item_title( string $title, array $attributes, $post = null ): string {`
`@@ -1741,7 +1741,7 @@ function novablocks_get_post_card_contents( $post, $attributes ): string {`
`1741`	`1741`	`function novablocks_get_post_card_meta( $post, $meta ) {`
`1742`	`1742`
`1743`	`1743`	`if ( $meta === 'author' ) {`
`1744`		`- return get_the_author_meta( 'display_name', $post->post_author );`
	`1744`	`+ return esc_html( get_the_author_meta( 'display_name', $post->post_author ) );`
`1745`	`1745`	`}`
`1746`	`1746`
`1747`	`1747`	`if ( $meta === 'category' ) {`
`@@ -1769,7 +1769,7 @@ function novablocks_get_post_card_meta( $post, $meta ) {`
`1769`	`1769`
`1770`	`1770`	`if ( ! empty( $categories ) && ! is_wp_error( $categories ) ) {`
`1771`	`1771`	`// Return only the first one.`
`1772`		`- return $categories[0]->name;`
	`1772`	`+ return esc_html( $categories[0]->name );`
`1773`	`1773`	`} else {`
`1774`	`1774`	`return '';`
`1775`	`1775`	`}`
`@@ -1827,15 +1827,15 @@ function novablocks_get_post_card_meta( $post, $meta ) {`
`1827`	`1827`	`if ( ! empty( $tags ) && ! is_wp_error( $tags ) ) {`
`1828`	`1828`	`$tag_names = array_map( 'novablocks_get_tag_name', $tags );`
`1829`	`1829`
`1830`		`- return join( ', ', $tag_names );`
	`1830`	`+ return esc_html( join( ', ', $tag_names ) );`
`1831`	`1831`	`} else {`
`1832`	`1832`	`return '';`
`1833`	`1833`	`}`
`1834`	`1834`	`}`
`1835`	`1835`
`1836`	`1836`	`if ( $meta == 'reading-time' ) {`
`1837`	`1837`	`/* translators: %s: The post reading time in minutes. */`
`1838`		`- return sprintf( __( '%s min read', '__plugin_txtd' ), novablocks_get_post_reading_time_in_minutes( $post ) );`
	`1838`	`+ return esc_html( sprintf( __( '%s min read', '__plugin_txtd' ), novablocks_get_post_reading_time_in_minutes( $post ) ) );`
`1839`	`1839`	`}`
`1840`	`1840`
`1841`	`1841`	`return '';`