Skip to content

fix: allow dollar sign in custom blocks #946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicholasio merged 4 commits into from
Apr 1, 2026
Merged

fix: allow dollar sign in custom blocks #946

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7dee44d
fix: allow dollar sign in custom blocks
pdavies88 Mar 27, 2026
4ea9438
fix: composer lint issue
pdavies88 Mar 27, 2026
0dc499b
fix: update changeset and add in tests
pdavies88 Mar 31, 2026
1d9e7f8
fix: test fixes from bugbot
pdavies88 Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changeset/fix-gutenberg-dollar-sign.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"@headstartwp/headstartwp": patch
---

Fix Gutenberg block attribute rendering when JSON attribute values contain dollar signs (for example, `$50 million`), preventing incorrect replacement escaping.

3 changes: 2 additions & 1 deletion wp/headless-wp/includes/classes/Integrations/Gutenberg.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,8 @@ public function process_block_with_dom_document_api( $html, $block_name, $block_
public function set_block_attributes_tag_api( $placeholder, $html, $block_attrs_serialized ) {
$search = sprintf( '/data-wp-block="%s"/', preg_quote( $placeholder, '/' ) );
$replace = sprintf( 'data-wp-block="%s"', htmlspecialchars( $block_attrs_serialized ) );

// Escape backslashes and dollar signs for the replacement string
$replace = str_replace( [ '\\', '$' ], [ '\\\\', '\\$' ], $replace );
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
return preg_replace(
$search,
Expand Down
36 changes: 36 additions & 0 deletions wp/headless-wp/tests/php/tests/TestGutenbergIntegration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,34 @@ public function test_render_classic_block() {
);
}

/**
* Tests HTML_Tag_Processor attribute injection does not drop `$...` sequences
* in serialized JSON string values (e.g. "$50 million").
*
* This specifically covers the preg_replace() replacement-string escaping logic
* used by set_block_attributes_tag_api().
*
* @return void
*/
public function test_set_block_attributes_tag_api_preserves_dollar_signs() {
$placeholder = '___HEADSTARTWP_BLOCK_ATTRS___';
$html = '<p data-wp-block="' . $placeholder . '"></p>';
$attrs_json = wp_json_encode(
[
'content' => '$50 million',
'level' => 2,
]
);

$enhanced = $this->parser->set_block_attributes_tag_api( $placeholder, $html, $attrs_json );

// set_block_attributes_tag_api() only replaces the `data-wp-block` placeholder value.
$this->assertStringNotContainsString( $placeholder, $enhanced );
$this->assertStringContainsString( 'data-wp-block="', $enhanced );
// The core assertion: `$50` should not be interpreted by preg_replace() replacement parsing.
$this->assertStringContainsString( '$50 million', $enhanced );
}

/**
* Test to ensure the parser handles both HTML and Multi-byte encodings properly
*
Expand Down Expand Up @@ -435,6 +463,14 @@ public function block_roundtrip_data_provider() {
],
'<!-- wp:heading {"x":"&#038;"} --> <h2></h2> <!-- /wp:heading -->',
],
'block value containing dollar sign in JSON string' => [
'core/heading',
[
'x' => '$50 million',
'level' => 2,
],
'<!-- wp:heading {"x":"$50 million"} --> <h2></h2> <!-- /wp:heading -->',
],
'html_entities' => [
'core/heading',
[
Expand Down
Loading