aria-labelledby="szModalTitle" references an element id that isn't present in the markup (the <h2> only has data-role). This breaks screen reader labeling for the dialog. Add id="szModalTitle" to the title element (or update aria-labelledby to match the actual id).

This wrapper renders both a literal class="sched-wrapper sched" attribute and get_block_wrapper_attributes(), which will also output its own class attribute. Duplicate class attributes produce invalid HTML and can break block classes. Prefer using get_block_wrapper_attributes([ 'class' => 'sched-wrapper sched' ]) and remove the hard-coded class attribute.

Speaker social links set a.href directly from Sessionize data without validating the URL scheme. A javascript: (or other non-http/https) URL from upstream data would become an XSS vector. Before assigning href, validate/normalize to allow only http:/https: (and optionally mailto:) and skip/omit links that don't pass.

wireModalControls_ attaches a document-level keydown listener for Escape inside initSpeakerGrid. If multiple Sessionize Speakers blocks appear on a page, this will register multiple global listeners. Consider registering the handler once (e.g., per-modal, or via a shared singleton) to avoid duplicated listeners and make teardown easier.

install-sessionize-schedule points to ../../plugins/sessionize-schedule/, but the plugin added in this PR is web/wp-content/plugins/sessionize-blocks/ (and there is no sessionize-schedule directory). Update the script name/path to install the correct plugin directory.

This wrapper renders both a literal class="sz-speakers-wrap" attribute and get_block_wrapper_attributes(), which will also output its own class attribute. Duplicate class attributes produce invalid HTML and can break block classes. Prefer using get_block_wrapper_attributes([ 'class' => 'sz-speakers-wrap' ]) and remove the hard-coded class attribute.

This <div> renders a class attribute and also prints get_block_wrapper_attributes(), which typically includes its own class="...". That produces duplicate class attributes (invalid HTML) and may break styling/JS targeting. Prefer echo get_block_wrapper_attributes( array( 'class' => 'sched-wrapper sched' ) ); and remove the hard-coded class attribute.

warmSpeakerAssets_ preloads every speaker avatar by creating new Image() instances. For large events this can trigger hundreds/thousands of network requests and significantly impact page performance/bandwidth. Consider limiting warming to above-the-fold/visible cards, adding a hard cap, or disabling this by default (or gating behind a config option).

The init function name sessionize_register_blocks is very generic and could collide with functions from other plugins/themes. Other plugins in this repo use a more specific prefix (e.g. cgb_block_*). Consider renaming to something plugin-scoped like sessionize_blocks_register_blocks and updating the add_action accordingly.

The config values are being escaped (esc_attr, esc_url) before being JSON-encoded and placed into a data-* attribute. This can double-escape values (e.g. & becoming &) and break URLs/strings when parsed by JS. Prefer sanitizing (e.g. sanitize_text_field / esc_url_raw) when building the config array, and only escaping once at output time with esc_attr( wp_json_encode(...) ).

This block sets --sz-* CSS variables on document.documentElement, which affects the entire page and can cause conflicts if multiple Sessionize blocks are present or if other components reuse similar variables. Consider scoping these variables to the block root (and to the moved modal element) instead of the global <html> element.

The CSS custom properties are defined on :root, so they apply globally across the site and can unintentionally affect other blocks/pages (and be affected by other CSS). Prefer scoping these variables to .sz-speakers-wrap (or another block-specific root) and rely on cascading for the modal by setting the same vars on the modal/root when opened.

wireModalControls_ adds a document-level keydown listener every time the block initializes. If multiple speaker blocks are on the page, Escape handling will be registered multiple times and all handlers will run. Consider registering a single shared listener (or namespacing/removing listeners on teardown) and scoping it so only the active modal instance handles Escape.

Like the speakers block, the schedule config values are escaped with esc_attr(...) before JSON encoding. That can double-escape/alter values (notably publicSlug, filter titles, etc.) when the JS reads them. Prefer sanitizing raw values for storage in the config array and escaping only once at output time.

link.url from the Sessionize API is assigned directly to a.href. If the API data contains a javascript: (or other unsafe) URL, this becomes an XSS vector when clicked. Validate/normalize URLs before assigning (e.g., allow only http/https/mailto, otherwise skip the link), and consider using rel="noopener noreferrer" for external links opened with _blank.

This block sets CSS variables on document.documentElement (--sz-purple, --sz-purple-2), which makes the styling global. If multiple speaker blocks with different themes are on the same page, the last-initialized block will override the variables for all blocks. Consider scoping these variables to the block root element (e.g., root.style.setProperty(...)) and updating the CSS to read vars from .sz-speakers-wrap rather than :root.

The speaker social link href is set directly from Sessionize data. If a link URL is javascript:/data: (or otherwise malformed), clicking it becomes an XSS/vector. Validate/normalize the URL and only allow safe protocols (e.g., http:/https:) before assigning to a.href. Also consider using rel="noopener noreferrer" when target="_blank".

The default apiCode causes the block to immediately fetch data from a specific external Sessionize event (pc6leesj) even if the editor hasn't configured anything. For production, it’s safer to default this to an empty string and show an editor-side placeholder instead, to avoid unintended external requests/content.

The default apiCode is set to pc6leesj, which will trigger external Sessionize fetches by default and may surface unrelated content if someone inserts the block without configuring it. Consider defaulting apiCode to an empty string and requiring explicit configuration to avoid unintended external dependencies/requests.

The editor help text says leaving scheduleBaseUrl blank disables session links, but sessionUrl_() returns '#' when the base URL is empty/invalid. This still renders clickable <a href="#"> links that will jump the page to the top. Consider returning an empty string/null and conditionally rendering a non-link title when links are disabled.