From 1b675cf75579ce973a22f4678e06c809c70b57fe Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 14:49:07 +0000
Subject: [PATCH 1/6] Site logo first pass

---
 packages/block-library/src/site-logo/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/site-logo/index.php b/packages/block-library/src/site-logo/index.php
index 37a8417ea0274c..5385f69aae10f7 100644
--- a/packages/block-library/src/site-logo/index.php
+++ b/packages/block-library/src/site-logo/index.php
@@ -40,7 +40,7 @@ function render_block_core_site_logo( $attributes ) {
 		// Add the link target after the rel="home".
 		// Add an aria-label for informing that the page opens in a new tab.
 		$aria_label  = 'aria-label="' . esc_attr__( '(Home link, opens in a new tab)' ) . '"';
-		$custom_logo = str_replace( 'rel="home"', 'rel="home" target="' . $attributes['linkTarget'] . '"' . $aria_label, $custom_logo );
+		$custom_logo = str_replace( 'rel="home"', 'rel="home" target="' . esc_attr( $attributes['linkTarget'] ) . '"' . $aria_label, $custom_logo );
 	}
 
 	$classnames = array();

From 44bfdcd57388a42e5a2c7c13ab7373719f63aa77 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 14:50:16 +0000
Subject: [PATCH 2/6] First pass site tagline

---
 packages/block-library/src/site-tagline/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/site-tagline/index.php b/packages/block-library/src/site-tagline/index.php
index 75375e5bb1e792..1389bd92379b2a 100644
--- a/packages/block-library/src/site-tagline/index.php
+++ b/packages/block-library/src/site-tagline/index.php
@@ -23,7 +23,7 @@ function render_block_core_site_tagline( $attributes ) {
 	return sprintf(
 		'<p %1$s>%2$s</p>',
 		$wrapper_attributes,
-		$site_tagline
+		esc_html( $site_tagline )
 	);
 }
 

From d23bd4da7c08df638604b3cfbd9185abd9354eb1 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 14:52:06 +0000
Subject: [PATCH 3/6] First pass site title

---
 packages/block-library/src/site-title/index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/block-library/src/site-title/index.php b/packages/block-library/src/site-title/index.php
index a7de6feffa1f0b..ff6007795dece2 100644
--- a/packages/block-library/src/site-title/index.php
+++ b/packages/block-library/src/site-title/index.php
@@ -29,15 +29,15 @@ function render_block_core_site_title( $attributes ) {
 
 	if ( $attributes['isLink'] ) {
 		$link_attrs = array(
-			'href="' . get_bloginfo( 'url' ) . '"',
-			'rel="home"',
+			'href="' . esc_url( get_bloginfo( 'url' ) ) . '"',
+			esc_attr( 'rel="home"' ),
 			$aria_current,
 		);
 		if ( '_blank' === $attributes['linkTarget'] ) {
 			$link_attrs[] = 'target="_blank"';
 			$link_attrs[] = 'aria-label="' . esc_attr__( '(opens in a new tab)' ) . '"';
 		}
-		$site_title = sprintf( '<a %1$s>%2$s</a>', implode( ' ', $link_attrs ), $site_title );
+		$site_title = sprintf( '<a %1$s>%2$s</a>', implode( ' ', $link_attrs ), esc_html( $site_title ) );
 	}
 	$wrapper_attributes = get_block_wrapper_attributes( array( 'class' => $align_class_name ) );
 

From d1b494eca58e9187a23f2dd04f86eeed6ff26149 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Tue, 11 Jan 2022 14:52:33 +0000
Subject: [PATCH 4/6] Force heading level to be int in site title

---
 packages/block-library/src/site-title/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/site-title/index.php b/packages/block-library/src/site-title/index.php
index ff6007795dece2..b219e8ea876bc2 100644
--- a/packages/block-library/src/site-title/index.php
+++ b/packages/block-library/src/site-title/index.php
@@ -24,7 +24,7 @@ function render_block_core_site_title( $attributes ) {
 	$aria_current = is_home() || ( is_front_page() && 'page' === get_option( 'show_on_front' ) ) ? ' aria-current="page"' : '';
 
 	if ( isset( $attributes['level'] ) ) {
-		$tag_name = 0 === $attributes['level'] ? 'p' : 'h' . $attributes['level'];
+		$tag_name = 0 === $attributes['level'] ? 'p' : 'h' . (int) $attributes['level'];
 	}
 
 	if ( $attributes['isLink'] ) {

From 322e0b28cdfb73e151a1ba30112ac33ab9686bc2 Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Wed, 12 Jan 2022 12:35:50 +0000
Subject: [PATCH 5/6] Escape HTML attr value not entire string

---
 packages/block-library/src/site-title/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/site-title/index.php b/packages/block-library/src/site-title/index.php
index b219e8ea876bc2..899dae92fd2c26 100644
--- a/packages/block-library/src/site-title/index.php
+++ b/packages/block-library/src/site-title/index.php
@@ -30,7 +30,7 @@ function render_block_core_site_title( $attributes ) {
 	if ( $attributes['isLink'] ) {
 		$link_attrs = array(
 			'href="' . esc_url( get_bloginfo( 'url' ) ) . '"',
-			esc_attr( 'rel="home"' ),
+			'rel="' . esc_attr( 'home') . '"',
 			$aria_current,
 		);
 		if ( '_blank' === $attributes['linkTarget'] ) {

From c794dff3b0be8803880490b9d1273e4f698e93bf Mon Sep 17 00:00:00 2001
From: Dave Smith <getdavemail@gmail.com>
Date: Thu, 13 Jan 2022 10:29:58 +0000
Subject: [PATCH 6/6] Fix lint error

---
 packages/block-library/src/site-title/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/block-library/src/site-title/index.php b/packages/block-library/src/site-title/index.php
index 899dae92fd2c26..d7871d16f3a365 100644
--- a/packages/block-library/src/site-title/index.php
+++ b/packages/block-library/src/site-title/index.php
@@ -30,7 +30,7 @@ function render_block_core_site_title( $attributes ) {
 	if ( $attributes['isLink'] ) {
 		$link_attrs = array(
 			'href="' . esc_url( get_bloginfo( 'url' ) ) . '"',
-			'rel="' . esc_attr( 'home') . '"',
+			'rel="' . esc_attr( 'home' ) . '"',
 			$aria_current,
 		);
 		if ( '_blank' === $attributes['linkTarget'] ) {