From e3ccb230d1333b6eb81a6f9ec839535750d59937 Mon Sep 17 00:00:00 2001
From: "Daniel W. Robert" <danielwrobert@users.noreply.github.com>
Date: Tue, 26 Sep 2023 10:12:29 -0400
Subject: [PATCH] Update escaping for Featured Item product image

---
 plugins/woocommerce-blocks/src/BlockTypes/FeaturedItem.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/woocommerce-blocks/src/BlockTypes/FeaturedItem.php b/plugins/woocommerce-blocks/src/BlockTypes/FeaturedItem.php
index 4decc617dce..aeb7d340242 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/FeaturedItem.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/FeaturedItem.php
@@ -201,7 +201,8 @@ abstract class FeaturedItem extends AbstractDynamicBlock {
 	 * @return string
 	 */
 	private function render_image( $attributes, $item, string $image_url ) {
-		$style = sprintf( 'object-fit: %s;', esc_attr( $attributes['imageFit'] ) );
+		$style   = sprintf( 'object-fit: %s;', esc_attr( $attributes['imageFit'] ) );
+		$img_alt = $attributes['alt'] ?: $this->get_item_title( $item );
 
 		if ( $this->hasFocalPoint( $attributes ) ) {
 			$style .= sprintf(
@@ -214,7 +215,7 @@ abstract class FeaturedItem extends AbstractDynamicBlock {
 		if ( ! empty( $image_url ) ) {
 			return sprintf(
 				'<img alt="%1$s" class="wc-block-%2$s__background-image" src="%3$s" style="%4$s" />',
-				wp_kses_post( $attributes['alt'] ?: $this->get_item_title( $item ) ),
+				esc_attr( $img_alt ),
 				$this->block_name,
 				esc_url( $image_url ),
 				esc_attr( $style )