From a11e02d44e60a037e7d1baeb33da421cda2ba9e3 Mon Sep 17 00:00:00 2001
From: Ryan Kienstra <kienstraryan@gmail.com>
Date: Mon, 2 May 2022 14:31:08 -0500
Subject: [PATCH 1/2] Use direct comparison of filter_input(), as it doesn't
 sanitize

---
 php/Admin/Upgrade.php | 4 +---
 php/Blocks/Loader.php | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/php/Admin/Upgrade.php b/php/Admin/Upgrade.php
index 3ee913ee..4ad76446 100644
--- a/php/Admin/Upgrade.php
+++ b/php/Admin/Upgrade.php
@@ -52,10 +52,8 @@ public function enqueue_scripts() {
 			return;
 		}
 
-		$page = filter_input( INPUT_GET, 'page' );
-
 		// Enqueue scripts and styles on the edit screen of the Block post type.
-		if ( $this->slug === $page ) {
+		if ( filter_input( INPUT_GET, 'page' ) === $this->slug ) {
 			wp_enqueue_style(
 				$this->slug,
 				$this->plugin->get_url( 'css/admin.upgrade.css' ),
diff --git a/php/Blocks/Loader.php b/php/Blocks/Loader.php
index dc70d331..01245efa 100644
--- a/php/Blocks/Loader.php
+++ b/php/Blocks/Loader.php
@@ -330,9 +330,7 @@ protected function render_block_template( $block, $attributes, $content ) {
 		$type = 'block';
 
 		// This is hacky, but the editor doesn't send the original request along.
-		$context = filter_input( INPUT_GET, 'context' );
-
-		if ( 'edit' === $context ) {
+		if ( 'edit' === filter_input( INPUT_GET, 'context' ) ) {
 			$type = [ 'preview', 'block' ];
 		}
 

From b16a986f7feea1520e045ea1393379daf3b126aa Mon Sep 17 00:00:00 2001
From: Ryan Kienstra <kienstraryan@gmail.com>
Date: Mon, 2 May 2022 14:34:19 -0500
Subject: [PATCH 2/2] Call wp_strip_all_tags(), as there wasn't filtering
 without this

---
 php/Blocks/Controls/InnerBlocks.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/Blocks/Controls/InnerBlocks.php b/php/Blocks/Controls/InnerBlocks.php
index 222ccea7..dece9881 100644
--- a/php/Blocks/Controls/InnerBlocks.php
+++ b/php/Blocks/Controls/InnerBlocks.php
@@ -53,7 +53,7 @@ public function validate( $value, $echo ) {
 		$content = genesis_custom_blocks()->loader->get_data( 'content' );
 
 		return empty( $content )
-			? urldecode( filter_input( INPUT_GET, 'inner_blocks' ) )
+			? urldecode( wp_strip_all_tags( filter_input( INPUT_GET, 'inner_blocks' ) ) )
 			: $content;
 	}
 }