From af09ab1b3ad05ee283371c9765736d05ef2b82f0 Mon Sep 17 00:00:00 2001
From: Bernie Reiter <ockham@raz.or.at>
Date: Thu, 20 Oct 2022 16:28:56 +0200
Subject: [PATCH] Featured Image Block: Add missing output escaping

---
 packages/block-library/src/post-featured-image/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/post-featured-image/index.php b/packages/block-library/src/post-featured-image/index.php
index de5683b297027a..495c8ec534a41c 100644
--- a/packages/block-library/src/post-featured-image/index.php
+++ b/packages/block-library/src/post-featured-image/index.php
@@ -64,7 +64,7 @@ function render_block_core_post_featured_image( $attributes, $content, $block )
 		if ( ! empty( $attributes['scale'] ) ) {
 			$image_styles .= "object-fit:{$attributes['scale']};";
 		}
-		$featured_image = str_replace( 'src=', 'style="' . esc_attr( $image_styles ) . '" src=', $featured_image );
+		$featured_image = str_replace( '<img ', '<img style="' . esc_attr( safecss_filter_attr( $image_styles ) ) . '" ', $featured_image );
 	}
 
 	return "<figure {$wrapper_attributes}>{$featured_image}</figure>";